SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #58

July 22, 2016

TOP OF THE NEWS

Ukraine Power Grid Attack Exposes US Power Grid Security Gaps
Dell Releases Fixes for SonicWALL GMS Vulnerabilities
Oracle Quarterly Patch Release Fixes 276 Vulnerabilities

THE REST OF THE WEEK'S NEWS

Automobile Industry ISAC Cybersecurity Best Practices for Connected Vehicles
EFF Sues Government Over DMCA Anti-Circumvention Provision
10-Year Sentence for Technology Export Violations
Firefox Will Block Invisible Flash Content
Alleged Operator of KAT Filesharing Website Charged
Library of Congress DDoS Attack
FTC Shuts Down Tech Support Schemes
Apple Updates
Cici's Pizza Breach

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored By ThreatSTOP *************************

Last year, 1 out of every 3 Americans was the victim of a healthcare data breach. ThreatSTOP's latest research report, "Healthcare Data Under Siege: Ransomware and the Cyber Threat Landscape" provides insight into what makes the healthcare industry both an attractive and vulnerable target for attacks.
http://go.threatstop.com/Healthcare-Whitepaper.html

***************************************************************************

TRAINING UPDATE

--SANS Boston 2016 | Boston, MA | August 1-6 | https://www.sans.org/event/boston-2016

--SANS Vienna | Vienna, Austria | August 1-6 | https://www.sans.org/event/vienna-2016

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | https://www.sans.org/event/security-awareness-summit-2016

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016

--SANS Virginia Beach 2016 | Virginia Beach, VA | August 22-September 2 | https://www.sans.org/event/virginia-beach-2016

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016

--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 | https://www.sans.org/event/crystal-city-2016

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016

--Security Leadership Summit & Training | September 27 - October 4, 2016 | Dallas, TX | https://www.sans.org/event/security-leadership-summit-2016

***************************************************************************

---

TOP OF THE NEWS

Ukraine Power Grid Attack Exposes US Power Grid Security Gaps (July 19, 2016)

This four-part investigation examines the cyberattack that cut off power for nearly 250,000 homes and businesses in western Ukraine in December, and how it revealed "cracks in US readiness to stop a cyberattack on America's electric grid."
Read more in:
E&E News EnergyWire Investigation: The Hack
-http://www.eenews.net/special_reports/the_hack

Dell Releases Fixes for SonicWALL GMS Vulnerabilities (July 20, 2016)

Dell has issued patches for six vulnerabilities in its SonicWALL Global Management System (GMS), four of which are considered critical. The flaws could be exploited to gain control of the software and all connected appliances.

[Editor Comments ]


[Williams ]
These vulnerabilities include a hardcoded backdoor account. Enterprise consumers must insist that the products that they buy are free of backdoor code that completely undermines security models. We recommend to clients that their contract language includes fiscal penalties for such shenanigans; e.g. if a backdoor is found in your product, annual maintenance fees will be reduced by 30% next year. When vendors balk at this, we remind them that this only applies if they have developed backdoors - and they'd never do that...
Read more in:
ZDNet: Hidden 'backdoor' in Dell security software gives hackers full access
-http://www.zdnet.com/article/hidden-backdoor-account-found-in-dell-network-secur
ity-software/
Computerworld: Dell patches critical flaws in SonicWALL Global Management System
-http://www.computerworld.com/article/3098645/security/dell-patches-critical-flaw
s-in-sonicwall-global-management-system.html
Dell Advisory: SonicWALL GMS Product Notification
-https://support.software.dell.com/product-notification/207447?productName=SonicW
ALL%20GMS
Digital Defense: DDI Discovers Six New Vulnerabilities
-https://www.digitaldefense.com/ddi-six-discoveries/

Oracle Quarterly Patch Release Fixes 276 Vulnerabilities (July 20 and 21, 2016)

Oracle's quarterly patch release addresses 276 security issues in more than 80 of its products. Of those, 159 could be exploited remotely without authentication. The release includes patches for 13 flaws in Java SE.

[Editor Comments ]


[Williams ]
Oracle produces libraries used in many other products, that are also put at risk by these vulnerabilities. Cisco Talos did a great writeup recently on Oracle's OIT product vulnerabilities. The OIT libraries are used in a wide range of software products, many of which will require downstream patches. For more information see:
-http://blog.talosintel.com/2016/07/vulnerability-spotlight-oracles-outside.html#
conclusion
Read more in:
The Register: What's big and red and squashes 276 bugs, 19 of them critical?
-http://www.theregister.co.uk/2016/07/20/oracle_quarterly_patches/
Computerworld: Oracle issues largest patch bundle ever, fixing 276 security flaws
-http://www.computerworld.com/article/3098024/security/oracle-issues-largest-patc
h-bundle-ever-fixing-276-security-flaws.html
SC Magazine: Oracle patches 276 bugs in largest bundle to date
-http://www.scmagazine.com/oracle-patched-276-bugs-in-more-than-80-products/artic
le/510838/
V3: Oracle releases a record 276 security patches to fix enterprise software flaws
-http://www.v3.co.uk/v3-uk/news/2465644/oracle-releases-a-record-276-security-pat
ches-to-fix-enterprise-software-flaws

---

*************************** SPONSORED LINKS *****************************
1) Visit VMRay at BlackHat booth #1372: see how our agentless hypervisor-based threat analysis evades malware detection. http://www.sans.org/info/187505

2) Don't Miss: Illuminate Your Network with Security Analytics. Thursday, July 28th, 2016 at 11:00 AM (11:00:00 EDT/US Eastern) with Andrew Wild. http://www.sans.org/info/187510

3) What Works: A Credit Union Increased Network Security With Network Access Control Based on Great Bay Software Beacon Thursday, July 28th, 2016 at 3:00 PM (15:00:00 EDT/US Eastern) with John Pescatore and Jeremy Taylor. http://www.sans.org/info/187515
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Automobile Industry ISAC Cybersecurity Best Practices for Connected Vehicles (July 21, 2016)

The Automotive Information Sharing and Analysis Center (Auto-ISAC) has published best practices for cybersecurity in connected vehicles. The document addresses governance and accountability, risk mitigation and management, secure design practices, threat detection and mitigation, and incident response.

[Editor Comments ]


[Williams ]
: One thing missing from this document is a recommendation for third party penetration testing and vulnerability assessments. Organizations that rely only on in-house vulnerability assessments are likely to fail in their own echo chamber - you are less likely to find vulnerabilities in your own products.
Read more in:
Dark Reading: Auto Industry ISAC Releases Best Practices For Connected Vehicle Cybersecurity
-http://www.darkreading.com/vulnerabilities---threats/auto-industry-isac-releases
-best-practices-for-connected-vehicle-cybersecurity/d/d-id/1326347?
Automotive ISAC: Automotive Cybersecurity Best Practices
-http://www.automotiveisac.com/best-practices/

EFF Sues Government Over DMCA Anti-Circumvention Provision (July 21, 2016)

The Electronic Frontier Foundation (EFF) is suing the US government, seeking to remove a clause from the Digital Millennium Copyright Act (DMCA) that is says is unconstitutional. The lawsuit argues that the DMCA's anti-circumvention provisions violate citizens' constitutional right to freedom of expression. While there is an exemption for research, the EFF says that it is interpreted too narrowly.
Read more in:
The Hill: EFF: Controversial copyright law unconstitutional
-http://thehill.com/policy/cybersecurity/288670-eff-controversial-copyright-law-u
nconstitutional
EFF: Complaint
-https://www.eff.org/document/1201-complaint
EFF Press Release: EFF Lawsuit Takes on DMCA Section 1201: Research and Technology Restrictions Violate the First Amendment
-https://www.eff.org/press/releases/eff-lawsuit-takes-dmca-section-1201-research-
and-technology-restrictions-violate

10-Year Sentence for Technology Export Violations (July 21, 2016)

Alexander Fishenko has been sentenced to 10 years in prison for shipping military-related technology from the US to Russian intelligence and military contractors. Nine other people and two corporations have been charged in connection with the operation. Over a 10-year period, Fishenko and others arranged for more than US $50 million worth of technology to ship to Russia. Authorities also seized US $500,000 in proceeds from the scheme.
Read more in:
The Hill: 10-year sentence for man who shipped defense tech to Russia
-http://thehill.com/policy/cybersecurity/288725-10-year-sentence-for-man-who-ship
ped-defense-tech-to-russia
Reuters: Texan gets 10 years in U.S. prison for Russian tech export scheme
-http://www.reuters.com/article/us-usa-russia-fishenko-idUSKCN1012ML?il=0

Firefox Will Block Invisible Flash Content (July 20 and 21, 2016)

With the release of Firefox 48 on August 2, Mozilla will block certain Flash content in its Firefox browser. According to Mozilla, if you can't see the flash, it will not run the flash. The move should prolong battery life, help protect against malicious scripts and make it harder to deploy flash "supercookies".

[Editor Comments ]

(Northcutt) This is enormously positive and follows Chromes lead from last month, which stops any flash that is "not central" to the webpage:
-https://techcrunch.com/2015/06/04/chrome-now-automatically-pauses-flash-content-
that-isnt-central-to-a-web-page/
Read more in:
Mozilla: Reducing Adobe Flash Usage in Firefox
-https://blog.mozilla.org/futurereleases/2016/07/20/reducing-adobe-flash-usage-in
-firefox/
The Register: Firefox to banish hidden Flash files - and kill off sneaky ad snoopers
-http://www.theregister.co.uk/2016/07/20/firefox_blocking_flash/
BBC: Mozilla to block Flash in Firefox browser
-http://www.bbc.com/news/technology-36856449
V3: Firefox moves to kill off Flash plug-in support
-http://www.v3.co.uk/v3-uk/news/2465621/firefox-moves-to-kill-off-flash-plug-in-s
upport
Ars Technica: Firefox to start blocking Flash content in August
-http://arstechnica.com/information-technology/2016/07/firefox-will-start-blockin
g-flash-content-in-august-fully-click-to-play-in-2017/
ZDNet: Mozilla will start blocking Flash in Firefox this August
-http://www.zdnet.com/article/mozilla-will-start-blocking-flash-in-firefox-this-a
ugust/

Alleged Operator of KAT Filesharing Website Charged (July 20 and 21, 2016)

US federal authorities have charged Artem Vaulin with money laundering and copyright infringement for allegedly owning and operating the Kickass Torrents (KAT) website, which facilitated access to pirated content. Vaulin was arrested in Poland earlier this week and the US plans to seek his extradition. The Christian Science Monitor article notes that Apple provided the FBI with information that helped lead to Vaulin's arrest.
Read more in:
Christian Science Monitor: How Apple and the FBI took down the world's largest torrent site
-http://www.csmonitor.com/Technology/2016/0721/How-Apple-and-the-FBI-took-down-th
e-world-s-largest-torrent-site
BBC: File-sharing 'mastermind' arrested in Poland
-http://www.bbc.com/news/world-us-canada-36852495
Washington Post: Alleged founder of world's most popular illegal file-sharing site KickassTorrents arrested
-https://www.washingtonpost.com/news/the-switch/wp/2016/07/20/alleged-founder-of-
worlds-most-popular-illegal-file-sharing-site-arrested/
US Department of Justice: Owner of Most-Visited Illegal File-Sharing Website Charged with Criminal Copyright Infringement
-https://www.justice.gov/usao-ndil/pr/owner-most-visited-illegal-file-sharing-web
site-charged-criminal-copyright-infringement

Library of Congress DDoS Attack (July 18 and 20, 2016)

Computer systems at the US Library of Congress were the target of a distributed denial-of-service (DDoS) for four days earlier this week. The attack affected "Library services and websites, including Congress.gov, the US Copyright Office, the BARD service from the National Library Service for the Blind and Physically Handicapped," databases, and email service. Technical details of the attack were not discussed beyond a blog post that noted the attack "was a massive and sophisticated ... assault, employing multiple forms of attack, adapting and changing on the fly." The systems have returned to normal operation, although there may be some "residual issues."
Read more in:
The Hill: After 4-day cyberattack, Library of Congress returning to normal
-http://thehill.com/policy/cybersecurity/288564-after-3-day-cyberattack-library-o
f-congress-returning-to-normal
FCW: Library of Congress wracked by DNS attack?
-https://fcw.com/Articles/2016/07/18/LOC-cyber-attack.aspx
Library of Congress: Library Fends Off DDoS Attack
-https://blogs.loc.gov/loc/2016/07/library-fends-off-ddos-attack/

FTC Shuts Down Tech Support Schemes (July 20, 2016)

The US Federal Trade Commission (FTC) has shut down a number of computer support scam schemes. Groups working in Iowa, Nevada, Florida, and Canada have had their assets seized and their websites shuttered. The groups targeted in this operation did not conduct cold calls, but instead relied on business from pop-up advertisements that "warned" users of
Read more in:
Computerworld: Feds shut down tech support scammers, freeze assets
-http://www.computerworld.com/article/3097576/malware-vulnerabilities/feds-shut-d
own-tech-support-scammers-freeze-assets.html

Apple Updates (July 19 and 20, 2016)

Apple has released security updates for iTunes, iOS, OS X El Capitan, Safari, tvOS, and watchOS. The fixes include patches for critical remote code execution flaws in iOS and OS X, and a patch for a flaw in FaceTime that could be exploited through a man-in-the-middle attack to eavesdrop on conversations after the user believes the call has ended.
Read more in:
The Register: Apple kills eavesdrop bug in FaceTime
-http://www.theregister.co.uk/2016/07/19/apple_patches_july2016/
SC Magazine: Apple patches remote code execution flaws
-http://www.scmagazine.com/apple-patches-remote-code-execution-flaws/article/5106
05/

Cici's Pizza Breach (July 19, 2016)

The Cici's Pizza restaurant chain has acknowledged that attackers breached point-of-sale (POS) systems at more than 135 locations. According to the statement from Cici's, some locations reported problems with POS systems in March. The POS vendor launched an investigation, found malware on some systems, and began a review and remediation program for all locations. At some restaurants, the breaches began in 2015; most started in March 2016.
Read more in:
KrebsonSecurity: Cici's Pizza: Card Breach at 130+ Locations
-http://krebsonsecurity.com/2016/07/cicis-pizza-card-breach-at-130-locations/
Cici's: Protecting Our Guests
-http://www.cicis.com/news/data-notification-all

---

INTERNET STORM CENTER TECH CORNER

Objective Systems ASN1C Compiler Creates Vulnerable Code
-https://github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-2016
-5080

Office Maldoc Analysis
-https://isc.sans.edu/forums/diary/Office+Maldoc+Lets+Focus+on+the+VBA+Macros+Lat
er/21275/

Defeating GMail's Malicious Macro Signatures
-https://warroom.securestate.com/bypassing-gmails-malicious-macro-signatures/

Oracle Critical Patch Update
-http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html

DNS Root Key Rotation
-http://schd.ws/hosted_files/icann562016/60/Matt%20Larson%20ICANN56%20KSK%20roll%
20briefing.pdf

Anti-Malware Codehooking Vulnerabilities
-http://breakingmalware.com/vulnerabilities/captain-hook-pirating-avs-bypass-expl
oit-mitigations/

More Details Regaring Apple's Image I/O Vulnerablity
-http://www.talosintelligence.com/reports/TALOS-2016-0171/

A Practice ntds.dit File For Hash Extraction and Password Cracking
-https://isc.sans.edu/forums/diary/Practice+ntdsdit+File/21287/

Little Snitch Update
-https://www.obdev.at/products/littlesnitch/releasenotes.html

PHP 7.0.9 / 5.6.24 Released (fixes httpoxy vulnerability)
-http://php.net/ChangeLog-7.php#7.0.9
-http://www.php.net/ChangeLog-5.php#5.6.24

Google Chrome Update
-http://googlechromereleases.blogspot.com/search/label/Stable%20updates

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create