SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #54

July 08, 2016

TOP OF THE NEWS

European Parliament Approves Cybersecurity Law
Report: IRS Access Revocation Controls Ineffective
Google Testing New Encryption That Protects Against Quantum Attacks

THE REST OF THE WEEK'S NEWS

HummingBad Android Malware
Google Releases Fixes for More than 100 Android Security Issues
Eleanor, Keydnap Malware Targets Macs
Microsoft Offers Advice on Group Policy Problems Caused by June Update
Malware and TLS
D-Link Camera Vulnerability Found in Other Devices
Wendy's: Payment Card Data Breach Affected More Than 1,000 Locations

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored By MobileIron *************************

Take the Mobility Assessment to determine if your enterprise mobility management strategy is on track to succeed. Benchmark your performance, understand where you may have security risks and receive recommendations tailored to your situation. Take the assessment!
http://www.sans.org/info/187017

***************************************************************************

TRAINING UPDATE

--SANS London Summer 2016| London, UK | July 9-16 | https://www.sans.org/event/london-in-the-summer-2016

--SANS Rocky Mountain | Denver, CO | July 11-16 | https://www.sans.org/event/rocky-mountain-2016

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | https://www.sans.org/event/minneapolis-2016

--SANS San Antonio | San Antonio, TX | July 18-23 | https://www.sans.org/event/san-antonio-2016

--Industrial Control Systems Security Training | Houston, TX | July 25-30 | https://www.sans.org/event/ics-houston-summit-training-2016

--SANS Boston 2016 | Boston, MA | August 1-6 | https://www.sans.org/event/boston-2016

--SANS Vienna | Vienna, Austria | August 1-6 | https://www.sans.org/event/vienna-2016

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | https://www.sans.org/event/security-awareness-summit-2016

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016

***************************************************************************

---

TOP OF THE NEWS

European Parliament Approves Cybersecurity Law (July 6, 2016)

The European Parliament has approved cybersecurity legislation that "establishes a common level of network and information security and enhances cooperation among EU member states, which will help prevent cyberattacks on Europe's important interconnected infrastructures." The new rules affect a broad spectrum of business sectors, including finance, energy, transportation, and technology.

[Editor Comments ]
(Pescatore): Can't see the details until it is published, but for global companies who operated cross Europe, a harmonized EU approach to security would be a good thing. Not sure how this impacts the various privacy laws and regulations in union contracts that vary by country in Europe. Also, I guess the UK has to make a decision since "Brexit" - will they go their own way or join in with the EU?
(Honan): This is a very welcome move and will have a major impact on cybersecurity within the European Union. It will ensure a minimum level of requirements in relating to cybersecurity to be implemented across all member states, such as the establishment of National CSIRTs. While the focus of the legislation is on Critical Infrastructure this will impact a wider range of organisations that act as part of that sector's supply chain.
Read more in: ZDNet: European lawmakers approve new cybersecurity law
-http://www.zdnet.com/article/european-lawmakers-approve-new-cybersecurity-law/
Bloomberg: European Union's First Cybersecurity Law Gets Green Light
-http://www.bloomberg.com/news/articles/2016-07-06/european-union-s-first-cyberse
curity-law-gets-green-light
European Parliament Press Release: Cybersecurity: MEPs back rules to help vital services resist online threats
-http://www.europarl.europa.eu/news/en/news-room/20160701IPR34481/Cybersecurity-M
EPs-back-rules-to-help-vital-services-resist-online-threats
European Parliament Press Release: Cyber security: new rules to protect Europe's infrastructure
-http://www.europarl.europa.eu/news/en/news-room/20160701STO34371/Cyber-security-
new-rules-to-protect-Europe's-infrastructure

Report: IRS Access Revocation Controls Ineffective (July 7, 2016)

According to a report from the Treasure Inspector General for Tax Administration (TIGTA), in many cases, the US Internal Revenue Service (IRS) cannot verify that departing employees surrendered keys, government identification, and other items that could allow them access to physical facilities and computer networks. TIGTA recommended updating guidance regarding employees leaving the agency, create an inventory process for the return of security items, and ensure that departing employees' physical and digital access is revoked.

[Editor Comments ]
(Williams): Regularly auditing for dormant accounts can help discover employees who have left without proper access revocation.
Read more in: Nextgov: Watchdog: Former IRS Employees Might Still Have Access to Computers, Facilities
-http://www.nextgov.com/cybersecurity/2016/07/watchdog-former-irs-employees-might
-still-have-access-computers-facilities/129729/?oref=ng-HPtopstory
Accounting Today: Fired IRS Employees Don't Always Have Access Revoked
-http://www.accountingtoday.com/news/tax-practice/fired-irs-employees-dont-always
-have-access-revoked-78616-1.html

Google Testing New Encryption That Protects Against Quantum Attacks (July 7, 2016)

Google has begun testing a new form of encryption in its Chrome browser designed to protect systems from quantum attacks. Google is adding a post-quantum key-exchange algorithm to a small number of connections between the desktop version of Chrome and Google's servers.
Read more in: Wired: Google Tests New Crypto in Chrome to Fend Off Quantum Attacks
-https://www.wired.com/2016/07/google-tests-new-crypto-chrome-fend-off-quantum-at
tacks/
ZDNet: Google is experimenting with post-quantum cryptography
-http://www.zdnet.com/article/google-is-experimenting-with-post-quantum-cryptogra
phy/

---

*************************** SPONSORED LINKS *****************************
1) Why Layered Security Strategies Dont Work and What You Can Do About It. Tuesday, July 19th, 2016 at 11:00 AM (11:00:00 EDT/US Eastern) with Navneet Singh. http://www.sans.org/info/187022

2) What Works: A Credit Union Increased Network Security With Network Access Control Based on Great Bay Software Beacon. Thursday, July 28th, 2016 at 3:00 PM (15:00:00 EDT/US Eastern) with John Pescatore and Jeremy Taylor. http://www.sans.org/info/187032

3) "Insider threats remain high concern among healthcare industry" - 2 Part Webcast Series- 7/20 & 7/21 @ 1 PM ET. http://www.sans.org/info/187037
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

HummingBad Android Malware (July 4, 5, and 6, 2016)

Malware known as HummingBad, which affects Android devices, is believed to have infected as many as 85 million devices. The malware spreads through drive-by downloads and malicious content served on pornography websites. It tries to gain root access to the infected device. If that fails, HummingBad seeks permissions to gain administrative access to the device. The malware is believed to emanate from China; those behind the scheme are believed to be part of a legitimate advertising analytics company. HummingBad has been earning them US $300,000 a month selling access to the infected systems and through fraudulent advertisements and app downloads.
Read more in: The Register: Outed China ad firm infects 10m Androids, makes $300k a month
-http://www.theregister.co.uk/2016/07/06/hummingbad_/
V3: HummingBad malware infects 85 million Android devices
-http://www.v3.co.uk/v3-uk/news/2463733/hummingbad-malware-infects-85-million-and
roid-devices
ZDNet: This Android malware has infected 85 million devices and makes its creators $300,000 a month
-http://www.zdnet.com/article/this-android-malware-has-infected-85-million-device
s-and-makes-its-creators-300000-a-month/

Google Releases Fixes for More than 100 Android Security Issues (July 6 and 7, 2016)

On Wednesday, July 6, Google released its largest batch of updates for Android to date. The release includes fixes for more than 100 security issues. The July bulletin for Android "defines two security patch level strings to provide Android partners with the flexibility to move more quickly to fix a subset of vulnerabilities that are similar across all Android devices."

[Editor Comments ]
(Northcutt): There is a related story in this edition of NewsBites about the so-called HummingBad vulnerability. Google needs to patch often and patch fast. Most Android users only care about cost and features, but the higher end BYOD market could start to see resistance if they do not start to show improvement:
-http://www.idc.com/prodserv/smartphone-os-market-share.jsp]

Read more in: eWeek: Google Issues Largest Android Security Update
-http://www.eweek.com/security/google-issues-largest-android-security-update.html
The Register: Huge double boxset of Android patches lands after Qualcomm disk encryption blown open
-http://www.theregister.co.uk/2016/07/06/android_update_patch_list_nexus_qualcomm
/
Computerworld: Google fixes over 100 flaws in Android, many in chipset drivers
-http://www.computerworld.com/article/3091922/security/google-fixes-over-100-flaw
s-in-android-many-in-chipset-drivers.html
Android: Android Security Bulletin-July 2016
-https://source.android.com/security/bulletin/2016-07-01.html

Eleanor, Keydnap Malware Targets Macs (July 6 and 7, 2016)

Several strains of malware that target Mac computers have been detected. Backdoor.MAC.Eleanor installs a backdoor on infected machines so attackers can assume full control of infected computers via the Tor network. Keydnap steals passwords and encryption keys from the Mac keychain. A third strain of malware, Pirrit, causes a deluge of pop-up advertisements on infected systems, and also opens a backdoor.
Read more in: Ars Technica: After hiatus, in-the-wild Mac backdoors are suddenly back
-http://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-a
re-suddenly-back/
ZDNet: Apple backdoor malware steals the keys to your kingdom
-http://www.zdnet.com/article/apple-backdoor-steals-the-keys-to-your-kingdom/
CNET: New Mac malware discovered in the wild installing backdoors?
-http://www.cnet.com/news/new-mac-malware-discovered-in-the-wild-installing-backd
oors/
SC Magazine: Eleanor Mac malware opens Tor connection for attackers to spy on and control Macs
-http://www.scmagazine.com/eleanor-mac-malware-opens-tor-connection-for-attackers
-to-spy-on-and-control-macs/article/507905/
Computerworld: New Tor-powered backdoor program targets Macs
-http://www.computerworld.com/article/3092246/security/new-tor-powered-backdoor-p
rogram-targets-macs.html

Microsoft Offers Advice on Group Policy Problems Caused by June Update (July 5, 6 and 7, 2016)

Microsoft's batch of patches last month included an update that altered the way Group Policy Objects (GPOs) work for some organizations. The update was designed to prevent man-in-the-middle attacks, but for some customers, the update exposed drives that were supposed to be hidden, and made networked printers and application shortcuts disappear. A Microsoft blog post offers options for fixing the GPO problems.
Read more in: eWeek: Microsoft Issues Guidance on Group Policy-Breaking Patches
-http://www.eweek.com/security/microsoft-issues-guidance-on-group-policy-breaking
-patches.html
ZDNet: Microsoft: Here's how to fix the Group Policy mess caused by our security update
-http://www.zdnet.com/article/microsoft-heres-how-to-fix-the-group-policy-mess-ca
used-by-our-security-update/
Microsoft Technet: Who broke my user GPOs?
-https://blogs.technet.microsoft.com/askpfeplat/2016/07/05/who-broke-my-user-gpos
/

Malware and TLS (July 7, 2016)

According to a paper by Blake Anderson, Subharthi Paul, and David McGrew, certain "observable data features" in TLS could be analyzed to detect malware without the need to decrypt traffic. Research conducted in an enterprise setting led to the conclusion that "malware's use of TLS is distinct from benign usage."

[Editor Comments ]
(Ullrich): This is an interesting approach, but it is likely to work well only for the specific malware samples investigated in this study. Malware uses the same SSL libraries used by other software, even if it uses different parameters. The malware will be able to easily adjust and mimic browsers well enough to go undetected. This methodology will likely also flag SSL connections created by various harmless scripts that, just like malware, don't go to the trouble of adjusting all SSL parameters.
(Honan): As attackers become more sophisticated it is research into techniques like this that will help us better defend our systems. Knowing what normal or benign behaviour looks like is an excellent way to identify unknown attacks due to how they deviate from the norm.
Read more in: The Register: Unmasking malware in TLS connections? It can be done, say Cisco researchers
-http://www.theregister.co.uk/2016/07/07/unmasking_malware_in_tls_connections_it_
can_be_done_say_cisco_researchers/
ArXiv: Deciphering Malware's use of TLS (without Decryption)
-http://arxiv.org/abs/1607.01639

D-Link Camera Vulnerability Found in Other Devices (July 7 and 8, 2016)

A vulnerability initially detected in D-Link wireless IP surveillance cameras is now known to affect as many as 400,000 devices, because the flawed software component was used in other D-Link devices. D-Link was notified of the issue by researchers; the company performed its own analysis of its devices and determined that 120 different products contain the vulnerable component. The flaw allows attackers to take control of the administrator account on the devices. There is currently no patch available.

[Editor Comments ]
(Williams): This vulnerability - a stack based buffer overflow - illustrates how far behind IoT devices are lacking in basic exploit mitigations like stack canaries. The only good news is that the vulnerability requires different return addresses for each model impacted.
Read more in:
-https://isc.sans.edu/forums/diary/Pentesters+and+Attackers+Love+Internet+Connect
ed+Security+Cameras/21231/
SC Magazine: D-Link flaw affects 400,000 devices
-http://www.scmagazine.com/d-link-flaw-affects-400000-devices/article/508192/
The Register: 414,949 D-Link cameras, IoT devices can be hijacked over the net
-http://www.theregister.co.uk/2016/07/08/414949_dlink_cameras_iot_devices_can_be_
hijacked_over_the_net/

Wendy's: Payment Card Data Breach Affected More Than 1,000 Locations (July 7, 2016)

Wendy's fast food restaurant chain now says that malware was found on point-of-sale systems at more than 1,025 of its franchises, considerably more than the 300 initially reported earlier this year. The breach compromised customer payment card information; fraudulent activity involving some of those accounts was first detected in fall 2015.
Read more in: BBC: Food chain Wendy's hit by massive hack
-http://www.bbc.com/news/technology-36742599
CNET: Wendy's says payment card info accessed in malware attack
-http://www.cnet.com/news/speed-desk-headlinewendys-opens-up-about-malware-says-h
ackers-accessed-payment-info/
ZDNet: Wendy's admits credit card hack is far worse than first thought
-http://www.zdnet.com/article/wendy-restaurants-credit-card-hack-worse-than-thoug
ht/

---

INTERNET STORM CENTER TECH CORNER

Apache Fixes Critical HTTP/2 TLS Authentication Flaw
-https://isc.sans.edu/forums/diary/Apache+Update+TLS+Certificate+Authentication+B
ypass+with+HTTP2+CVE20164979/21223/

Gigabyte and HP Motherboards Affected by "ThinkPwn" UEFI Vulnerability
-https://twitter.com/al3xtjames

UK Police Data Breaches
-https://www.bigbrotherwatch.org.uk/wp-content/uploads/2016/07/Safe-in-Police-Han
ds.pdf

Mac Malware Uses Tor For C&C
-https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/

Front Door Intercom Backdoor
-http://www.synacktiv.ninja/ressources/NDH-Intercoms_presentation_Dudek.pdf

wget arbitrary command line execution with redirects
-https://blogs.securiteam.com/index.php/archives/2701

CryptXXX Update
-https://isc.sans.edu/forums/diary/CryptXXX+ransomware+updated/21229/

Symantec Patches On the Way (but not fast)
-https://twitter.com/taviso?lang=en

Android Adware/Malware
-https://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-repor
t_FINAL-62916.pdf

HP Updates Comware and VCX Routers
-https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05184351

Tracking Devices With Randomized Wifi MAC Addresses
-http://papers.mathyvanhoef.com/asiaccs2016.pdf

Patchwork: Is it still "Advanced" if all you have to do is Copy/Paste?
-https://isc.sans.edu/forums/diary/Patchwork+Is+it+still+Advanced+if+all+you+have
+to+do+is+CopyPaste/21235/

OUCH Newsletter
-https://securingthehuman.sans.org/resources/newsletters/ouch/2016#july2016

Discovering Malware in TLS Traffic
-http://arxiv.org/abs/1607.01639

TP-Link Uses tplinklogin.net Domain
-http://thehackernews.com/2016/07/tp-link-router-setting.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create