Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #59

July 26, 2016

TOP OF THE NEWS

US Critical Infrastructure and Cyberattack Preparedness
Illinois Passes Law Limiting Use of Stingray Data
Portal Offers Help with Ransomware

THE REST OF THE WEEK'S NEWS

FBI Investigating DNC eMail Breach
Amazon Fixes SSL Security Issue in Silk Browser
US $50 Million Piracy Site Lawsuit Settlement
Ransomware Decryption Tools Available
Election Brings eVoting Machine Concerns
iOS and Mac OS X Image Handling Flaws
Report: FBI Threat Prioritization Process is Problematic
White House Cyber Workforce Strategy

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*********************** Sponsored By Sophos Inc. *************************

NEW Synchronized Encryption: for the first time, encryption plays an active role in your integrated threat protection system. What does this mean for you and how can you use it to keep your data safe from today's threats? Learn more:
http://www.sans.org/info/187595

***************************************************************************

TRAINING UPDATE

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016

--SANS Virginia Beach 2016 | Virginia Beach, VA | August 22-September 2 | https://www.sans.org/event/virginia-beach-2016

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016

--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 | https://www.sans.org/event/crystal-city-2016

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016

--Security Leadership Summit & Training | September 27 - October 4, 2016 | Dallas, TX | https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3 - October 8, 2016 | Seattle, WA | https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3 - October 15, 2016 | Prague, Czech Republic | https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10 - October 15, 2016 | Baltimore, MD | https://www.sans.org/event/baltimore-2016

***************************************************************************

TOP OF THE NEWS

US Critical Infrastructure and Cyberattack Preparedness (July 21, 2016)

Speaking at the Chemical Sector Security Summit last week, Department of Homeland Security (DHS) assistant secretary for cybersecurity and communications Andy Ozment said that the December attack against the power grid in Ukraine should be "a wake up call" for organizations supporting critical infrastructure in the US. Ozment called the Ukraine attack "the template to defend against."

[Editor Comments ]


[Assante ]
There is a lot to learn from the December attacks in Ukraine, but I would caution infrastructure operators to consider the "template" to be attacks that are multi-modal, aware of process operations, are capable of process manipulation, and include ICS destruction vice any specific tactic or technique used by the attacker. The attackers proved they were adaptive and intelligent and the next attack will likely be different. This is why we developed a defense use case with the E-ISAC that addressed how to mitigate the specific attack and expanded our recommendations beyond to potential future manifestations.

[Honan ]
How many times do we as a society need to have a "wake up call" when it comes to cybersecurity? Until vendors and companies are mandated to secure their systems and accept liability for when they fail we will continue to see security treated as a low priority.
Read more in:
FCW: Are U.S. chemical plants ready for cyberattacks?
-https://fcw.com/articles/2016/07/21/dhs-cyber-chemical.aspx

Illinois Passes Law Limiting Use of Stingray Data (July 25, 2016)

The American Civil Liberties Union (ACLU) has released an announcement about Illinois Governor Bruce Rauner's signing of Senate Bill 2343, which "increases transparency" and limits what law enforcement can do with information collected with cell site simulators, often referred to as stingrays. The law also requires that law enforcement obtain a warrant prior to using cell site simulator technology. Illinois State Senator Daniel Biss sponsored the measure.

[Editor Comments ]


[Murray ]
One might well settle for the warrant requirement but this law also rejects the idea that law enforcement can hide novel investigative techniques from the courts in an attempt to avoid the requirement for warrants.
Read more in:
SC Magazine: Illinois ACLU applauds new stingray regulation
-http://www.scmagazine.com/illinois-stingray-bill-praised-by-aclu/article/511666/
Evanston Roundtable: Sen. Biss Stingray Measure Signed into Law
-http://www.evanstonroundtable.com/main.asp?SectionID=15&SubSectionID=26&
ArticleID=12296

ACLU: Statement: Governor Bruce Rauner signs Senate Bill 2343 (Cell site simulator regulation)
-http://www.aclu-il.org/statement-governor-bruce-rauner-signs-senate-bill-2343-ce
ll-site-simulator-regulation/

Portal Offers Help with Ransomware (July 25, 2016)

Europol, along with the Dutch National Police, Kaspersky Lab, and Intel Security, has launched the No More Ransom portal. Its goal is to educate people about ransomware and to provide resources to help people recover files without paying a ransom. The site includes tools for unlocking certain strains of ransomware, and will allow people whose computers have been infected to upload encrypted files to determine which strain of the malware was used.

[Editor Comments ]


[Murray ]
Ransomware attacks are easier to prevent than to recover from. The necessary measures (restrictive access controls) are not nearly so burdensome as people think.

[Honan ]
This is a great example of how public/private partnerships can work together to help tackle cybercrime. This portal will prove to be very useful for many that may fall victim to ransomware. However, it is important to note that not all variants are included, such as Locky and its variants. So prevention is still better than the cure. Another great resource for dealing with ransomware has also been made available at
-https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvm
c5g/pubhtml#

which includes IoCs and recommendations on how to block different ransomware strains.
Read more in:
BBC: Ransomware advice service to tackle extortion gangs
-http://www.bbc.com/news/technology-36883056
ZDNet: This initiative wants to help ransomware victims decrypt their files for free
-http://www.zdnet.com/article/this-initiative-wants-to-help-ransomware-victims-de
crypt-their-files-for-free/

Dark Reading: New Portal Offers Decryption Tools For Some Ransomware Victims
-http://www.darkreading.com/vulnerabilities---threats/new-portal-offers-decryptio
n-tools-for-some-ransomware-victims/d/d-id/1326384?



*************************** SPONSORED LINKS *****************************
1) Don't Miss: Illuminate Your Network with Security Analytics. Thursday, July 28th, 2016 at 11:00 AM (11:00:00 EDT/US Eastern) with Andrew Wild. http://www.sans.org/info/187510

2) What Works: A Credit Union Increased Network Security With Network Access Control Based on Great Bay Software Beacon Thursday, July 28th, 2016 at 3:00 PM (15:00:00 EDT/US Eastern) with John Pescatore and Jeremy Taylor. http://www.sans.org/info/187515

3) PokCmon Go - What To Tell Employees. Friday, July 29th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Lance Spitzner, Jennifer Miller, and Thomas McHahon. http://www.sans.org/info/187600
***************************************************************************

THE REST OF THE WEEK'S NEWS

FBI Investigating DNC eMail Breach (July 25, 2016)

The FBI is investigating the breach of the US Democratic National Committee that resulted in email messages being stolen and posted on WikiLeaks. The FBI says it is "working to determine the nature and scope of the matter." Some close to the investigation say the attack bears the hallmarks of nation-state activity.
Read more in:
SC Magazine: Russian hackers take the stage at DNC convention
-http://www.scmagazine.com/russian-hackers-take-the-stage-at-dnc-convention/artic
le/511686/

CNET: FBI investigating hack of Democratic party email
-http://www.cnet.com/news/fbi-investigates-democratic-partys-email-leak/

Amazon Fixes SSL Security Issue in Silk Browser (July 25, 2016)

Amazon has fixed a security issue in its Silk web browser that put users at risk of man-in-the-middle attacks. The previous version of Silk, which is preloaded on Amazon Kindle devices, did not include SSL (secure sockets layer) technology, so it ignored SSL security standards in Google searches, and even prevented users from accessing secure versions of the Google search engine. The problem has been fixed in Silk version 51.2.1.
Read more in:
ZDNet: Amazon Silk browser ignored SSL searches, failing to protect your privacy
-http://www.zdnet.com/article/amazon-silk-browser-ignored-ssl-searches-failing-to
-protect-your-privacy/

US $50 Million Piracy Site Lawsuit Settlement (July 25, 2016)

Gary Fung, owner of the Isohunt website, has agreed to pay US $50 million to settle a 2008 lawsuit brought by the Canadian Recording Industry Association (CRIA), now known as Music Canada. The Isohunt website, which facilitated access to pirated content, ceased operations in 2013 when Fung agreed to pay US $110 million to the Motion Picture Association of America (MPAA).

[Editor Comments ]


[Murray ]
This is the kind of offense for which the use of the DCMA was intended.
Read more in:
BBC: Piracy site owner settles $50m lawsuit
-http://www.bbc.com/news/technology-36883179

Ransomware Decryption Tools Available (July 22 and 25, 2016)

Researchers have released tools aimed at helping people recover from PowerWare and Bart ransomware.
Read more in:
The Register: Security firms team to take down rudimentary ransomware
-http://www.theregister.co.uk/2016/07/25/security_firms_team_to_take_down_rudimen
tary_ransomware/

Computerworld: Free decryption tools released for PowerWare and Bart ransomware
-http://www.computerworld.com/article/3099026/security/free-decryption-tools-rele
ased-for-powerware-and-bart-ransomware.html

Election Brings eVoting Machine Concerns (July 22, 2016)

Five US states still use direct recording electronic (DRE) voting machines that do not provide paper backups at all locations; 10 additional states use the machines at some voting locations, and 14 states use DREs with paper backups. Some experts are concerned that election results could be altered through electronic voting machines.
Read more in:
Computerworld: A hackable election? 5 things to know about e-voting
-http://www.computerworld.com/article/3099018/security/a-hackable-election-5-thin
gs-to-know-about-e-voting.html

iOS and Mac OS X Image Handling Flaws (July 22, 2016)

Five vulnerabilities in the way Apple's iOS and Mac OS X process image formats could be exploited to steal data and remotely execute code. Researchers from Cisco's Talos threat intelligence organization detected the flaws, which have been fixed in the most recent versions of iOS, Mac OS X, tvOS, and watchOS.
Read more in:
CNET: iMessage flaw could compromise iPhones, iPads, Macs (video)
-http://www.cnet.com/news/imessage-flaw-could-compromise-iphones-ipads-macs/
ZDNet: iOS, Mac vulnerabilities allow remote code execution through a single image
-http://www.zdnet.com/article/ios-mac-flaw-exposes-your-password-with-one-image-f
ile/

Cisco Talos Blog: Vulnerability Spotlight: Apple Remote Code Execution With Image Files
-http://blog.talosintel.com/2016/07/apple-image-rce.html

Report: FBI Threat Prioritization Process is Problematic (July 21 and 22, 2016)

According to a report from the US Justice Department's Office of the Inspector general (OIG), the FBI's Threat Review and Prioritization (TRP) process, which determines which cyberthreats merit the most attention, has several weaknesses. The terminology the FBI uses to prioritize threats is subjective, which means that the threats that require allocation of greater resources may not receive those resources. Also, because the TRP is conducted only once a year, it "may not be agile enough to identify emerging cyber threats in a timely manner."
Read more in:
FCW: IG slams FBI's 'subjective' approach to cyberthreats
-https://fcw.com/articles/2016/07/25/ig-fbi-cyberthreats.aspx
SC Magazine: Audit: FBI's threat prioritization process too subjective and sluggish
-http://www.scmagazine.com/audit-fbis-threat-prioritization-process-too-subjectiv
e-and-sluggish/article/511386/

Federal Times: FBI cyberthreat assessment should be more than a 'gut check,' IG says
-http://www.federaltimes.com/story/government/cybersecurity/2016/07/21/fbi-cybert
hreat-assessment-should-more-than-gut-check-ig-says/87385440/

DOJ OIG: Audit of the Federal Bureau of Investigation's Cyber Threat Prioritization (PDF)
-https://oig.justice.gov/reports/2016/a1620.pdf#page=1

INTERNET STORM CENTER TECH CORNER

NIST Digital Authentication Guide Preview
-https://github.com/usnistgov/800-63-3

Powerware Ransomware Spoofing Locky
-http://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-s
poofing-locky-malware-family/

SAP HANA Security Advisory
-http://www.onapsis.com/research/security-advisories

Pokemon Go Forensics
-https://www.gillware.com/forensics/blog/mobile-forensics/oh-no-pokemon-go-forens
ic-artifacts

Python Malware - Part 4
-https://isc.sans.edu/forums/diary/Python+Malware+Part+4/21297/

Powerware Decrypter
-https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decry
pt.py

No More Ransomware
-https://www.nomoreransom.org

Pangu iOS 9.3.3 Jailbrake
-http://en.pangu.io

Safe Skies TSA Keys Duplicated
-http://www.3ders.org/articles/20160725-hackers-create-3d-printed-tsa-safe-skies-
master-key-for-luggage-release-blueprints.html



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create