SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #66

August 19, 2016

Improving cybersecurity education quickly: Students who want to have useful cybersecurity skills, and their teachers, have had trouble finding high-quality, safe hands-on challenges that actually build their skills. A consortium of educators, along with the good folks at BSides, have found a great solution. Here's what I am hearing from users:


--"It gives you a chance to experience things that you can't normally see or work on in a classroom environment." (Tok Huey Cheit, Singapore Polytechnic)


--"It was challenging and caused the group to think outside the box. We got the opportunity to utilize a lot of different tools and work as individuals as well as a team." (Dr. Jonathan Graham, Norfolk State University IA-REDI)


--"It was different than most cyber security competitions, like a CTF. The team was able to look for clues and make conclusions about overall concepts." (Greg Sarafian, River Dell Regional High School, Oradell, NJ)


Before the new school year gets rolling, students and educators owe it to themselves to check out the challenges at the PIVOT project. All free at http://pivotproject.org

Alan Paller

---

TOP OF THE NEWS

Stolen NSA Tools Take Advantage of Zero-Day Vulnerabilities
Cisco and Fortinet Acknowledge Flaws Exposed in NSA Leak
Locky Ransomware Used Against Hospital Systems

THE REST OF THE WEEK'S NEWS

SWIFT Overlooked Security Issues for Years
Arrest in Sage Software Breach
Operation Ghoul Targets Industrial Organizations, Steals Financial Data
US Department of Homeland Security Offers States Election Systems Security Help
US Dept. of Energy Awards $34 Million to Smart Grid Security Projects
US Social Security Administration Changes Account Management Policy
Proxy Authentication Implementation Flaws Affects Multiple Products
DHS IMPACT Program Focuses on Critical Infrastructure Cybersecurity

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

******************* Sponsored By Great Bay Software ********************

Air Academy Federal Credit Union detected WiFi Pineapple Attacks in seconds with Network Access Control from Great Bay Software. Register for the WhatWorks webcast to find out how: Tuesday, August 23rd, 2016 at 11:00 AM Eastern with John Pescatore and Jeremy Taylor.
http://www.sans.org/info/188152

***************************************************************************

TRAINING UPDATE

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016

--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 | https://www.sans.org/event/crystal-city-2016

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016

--SANS London Autumn 2016 | London, UK | September 19-24 | https://www.sans.org/event/london-autumn-2016

--Security Leadership Summit & Training | Dallas, TX | September 27 - October 4, 2016 | https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA | https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic | https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD | https://www.sans.org/event/baltimore-2016

--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan | https://www.sans.org/event/tokyo-autumn-2016

--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA | https://www.sans.org/event/tysons-corner-2016

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA | https://www.sans.org/event/san-diego-2016

***************************************************************************

---

TOP OF THE NEWS

Stolen NSA Tools Take Advantage of Zero-Day Vulnerabilities (August 16, 17 and 18, 2016)

Sophisticated "hacking tools" allegedly stolen from an NSA-related server have been leaked online. The thieves have said they plan to sell the tools in a digital auction.
The tools bear digital signatures that match those used by the Equation Group, a group that has alleged links to the NSA. The incident highlights the risk of hoarding zero-day vulnerabilities. When intelligence agencies use them to develop tools, those tools could be stolen and make their way into the hands of malicious actors.

[Editor Comments ]


[Ullrich ]
Only a few of the vulnerabilities that have been published so far are zero-day vulnerabilities. Many are for vulnerabilities for which patches have been available for a couple of years, or vulnerabilities that can be mitigated if the configuration of systems follows best practices. But the difficult part is that the vulnerabilities target network devices, and in particular perimeter protection devices that are exposed and often not as well monitored as endpoints.
Read more in:
eWeek: Hard Facts Scarce in Purported Theft of Hacking Tools from NSA Server
-http://www.eweek.com/security/hard-facts-scarce-in-purported-theft-of-hacking-to
ols-from-nsa-server-2.html
Washington Post: NSA hacking tools were leaked online. Here's what you need to know.
-https://www.washingtonpost.com/news/the-switch/wp/2016/08/17/nsa-hacking-tools-w
ere-leaked-online-heres-what-you-need-to-know/
Wired: The Shadow Brokers Mess is What Happens when the NSA Hoards Zero-days
-https://www.wired.com/2016/08/shadow-brokers-mess-happens-nsa-hoards-zero-days/
Ars Technica: Confirmed: hacking tool leak came from "omnipotent" NSA-tied group
-http://arstechnica.com/security/2016/08/code-dumped-online-came-from-omnipotent-
nsa-tied-hacking-group/
Computerworld: Alleged NSA data dump contains hacking tools rarely seen
-http://www.computerworld.com/article/3109233/security/alleged-nsa-data-dump-cont
ains-hacking-tools-rarely-seen.html

Cisco and Fortinet Acknowledge Flaws Exposed in NSA Leak (August 17, 2016)

Cisco and Fortinet have released fixes for flaws in their products that are exploited in tools allegedly stolen from an NSA server. Cisco has issued patches to address the issues in its PIX and ASA firewalls; Fortinet has patched a flaw in its Fortigate firewalls.
Read more in:
Computerworld: Cisco and Fortinet issue patches against NSA malware
-http://www.computerworld.com/article/3109307/security/cisco-and-fortinet-issue-p
atches-against-nsa-malware.html
ZDNet: Cisco, Fortinet patch flaws used by alleged NSA hacking group
-http://www.zdnet.com/article/cisco-fortinet-patch-flaws-exposed-by-alleged-nsa-h
acking-group/
Dark Reading: Cisco Patches Zero-Day Firewall Flaw Exposed in Equation Group Hack
-http://www.darkreading.com/threat-intelligence/cisco-patches-zero-day-firewall-f
law-exposed-in-equation-group-hack/d/d-id/1326662?
Cisco: Cisco Event Response: Cisco ASA SNMP and CLI Remote Code Execution Vulnerabilities
-http://tools.cisco.com/security/center/viewErp.x?alertId=ERP-56516
FortiGuard: Cookie Parser Buffer Overflow Vulnerability
-http://fortiguard.com/advisory/FG-IR-16-023

Locky Ransomware Used Against Hospital Systems (August 18, 2016)

According to FireEye, computer systems at hospitals in the US and Japan are being hit with Locky ransomware in a "massive" campaign. FireEye noted a spike in these attacks earlier this month.
Read more in:
The Register: FireEye warns 'massive' ransomware campaign hits US, Japan hospitals
-http://www.theregister.co.uk/2016/08/18/fireeye_warns_massive_ransomware_campaig
n_hits_us_japan_hospitals/

---

*************************** SPONSORED LINKS *****************************
1) Avanan has identified the most common threats plaguing millions of Office 365 users every day. Wednesday, August 31st, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) http://www.sans.org/info/188157

2) Hunting 101 - Back to Basics: Implementing a Proactive Cyber Hunting Approach Thursday, September 8th, 2016 with at 1:00 PM (13:00:00 EDT/US Eastern) Brad Mecha and Dave Shackleford. http://www.sans.org/info/188162

3) Help SANS determine how organizations conduct CONTINUOUS VULNERABILITY ASSESSMENT and remediation related to the CIS Critical Security Controls http://www.sans.org/info/187750
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

SWIFT Overlooked Security Issues for Years (August 17, 2016)

In February, thieves attempted to steal nearly US $1 billion from Bangladesh's central bank by exploiting weaknesses in the financial transaction messaging system. Former SWIFT CEO Leonard Schrank said that the organization's board members "were focusing on other things and not about the fundamental sacred role of SWIFT, which is the security and reliability of the system." Problems include smaller banks that could not afford to upgrade their systems. Another former board member noted that SWIFT did not take action to promote security because it believed that security was the domain of bank regulators.

[Editor Comments ]


[Murray ]
SWIFT is getting a bum rap here. This is a banking problem, not a messenger problem. SWIFT is a service. It is not party to balances or transactions. It is not a policy maker or a regulator. It is not party to the transactions that it carries or the agreements under which they take place. It has no enforcement authority. It is a private company owned by its customers; it does what they tell it to. We do not want banks to expect or believe that SWIFT can or should protect them from their employees or one another. I have seen no indications that SWIFT has failed to meet any regulation, contractual requirement, or customary expectation.
Read more in:
Reuters: Special Report: Not so SWIFT - Bank messaging system slow to address weak points
-http://www.reuters.com/article/us-cyber-heist-warnings-specialreport-idUSKCN10S0
WC
The Register: Banking system SWIFT was anything but on security, ex-boss claims
-http://www.theregister.co.uk/2016/08/18/swift_was_anything_but_on_security_claim
/

Arrest in Sage Software Breach (August 18, 2016)

Police in the UK have arrested a woman in connection with a data breach at the Sage software company. The incident, which involved unauthorized access by someone using internal login credentials, exposed personal information of employees at 280 organizations in the UK. The unnamed woman, who is currently a Sage employee, was arrested on "suspicion of conspiracy to defraud."
Read more in:
ZDNet: Sage employee arrested at airport following data breach
-http://www.zdnet.com/article/sage-employee-arrested-at-airport-following-data-br
each/
V3: Sage data breach: Woman arrested at Heathrow over incident
-http://www.v3.co.uk/v3-uk/news/2467916/sage-breach-exposes-personal-data-of-staf
f-at-280-companies

Operation Ghoul Targets Industrial Organizations, Steals Financial Data (August 17, 2016)

A malware campaign named Operation Ghoul targets industrial organizations. The attacks are believed to have started in March 2015, and have hit 130 organizations in 30 countries. The attackers gain a foothold in the organizations through spear phishing emails that contain compressed executables. The malware is capable of stealing screenshots and keystrokes. The attackers appear to be seeking sensitive financial information.

[Editor Comments ]


[Williams ]
The Kaspersky victim map doesn't show any victims in Russia. This is especially interesting considering the despite that Kaspersky's sensor network is the largest in Russia. Three possible theories are that 1) Russia is behind Ghoul 2) Nothing in Russia interests Ghoul 3) Ghoul uses a completely different and unattributed toolkit for Russian targets.
Read more in:
ZDNet: Operation Ghoul targets Middle East engineers, industrial players
-http://www.zdnet.com/article/operation-ghoul-targets-middle-east-engineers-indus
trial-players/
Dark Reading: 'Operation Ghoul' Targets Industrial, Engineering Companies In 30 Countries
-http://www.darkreading.com/attacks-breaches/operation-ghoul-targets-industrial-e
ngineering-companies-in-30-countries/d/d-id/1326659?
The Hill: 'Ghoul' hackers targeting industrial businesses: report
-http://thehill.com/policy/cybersecurity/291720-report-ghoul-hackers-targeting-in
dustrial-businesses
SecureList (Kaspersky): Operation Ghoul: targeted attacks on industrial and engineering organizations
-https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-i
ndustrial-and-engineering-organizations/

US Department of Homeland Security Offers States Election Systems Security Help (August 17, 2016)

The US Department of Homeland Security (DHS) is offering state governments help to ensure the security of their electronic voting systems. In an August 15 conference call with members of the National Association of Secretaries of State and other election officials, DHS Secretary Jeh Johnson said that the government would brief them about cyberthreats. Johnson also offered access to expert advice and services.

[Editor Comments ]


[Northcutt ]
The Wired magazine article says it all, "The reason so many machines are so out of date is also simple; replacing them would require money, and few districts are willing or able to pay for them." I was the third person to sign the Whitehouse petition to use paper ballots until we fix this. Please consider signing and suggesting it to others:
-https://petitions.whitehouse.gov//petition/call-paper-ballots
Read more in:
Reuters: US offers states help to fight election hacking
-http://www.reuters.com/article/us-usa-election-cybersecurity-idUSKCN10R1QN
FCW: DHS talks with states about shoring up cyber in voting systems
-https://fcw.com/articles/2016/08/16/cyber-voting-rockwell.aspx
The Hill: DHS offers states cybersecurity help for voting machines
-http://thehill.com/policy/cybersecurity/291692-dhs-offers-states-elections-cyber
security-assistance
Wired: Voting Machines are a Mess - But the Feds Have a (Kinda) Plan
-https://www.wired.com/2016/08/voting-machines-mess-feds-kinda-plan/
SC Magazine: US government extends offer to protect states from electoral cyberthreats
-http://www.scmagazine.com/us-government-extends-offer-to-protect-states-from-ele
ctoral-cyberthreats/article/517104/

US Dept. of Energy Awards $34 Million to Smart Grid Security Projects (August 17, 2016)

The US Department of Energy (DOE) has awarded 12 smart grid security projects a total of US $34 million. The projects fall into one of five topic areas: Detect Adversarial Manipulation of Energy Delivery Systems Components; Secure Integration of Renewable Energy and Energy Efficiency Resources; Continual and Autonomous Reduction of Cyber Attack Surface for Energy Delivery Control Systems; Supply Chain Cybersecurity for Energy Delivery Systems; and Innovative Technologies that Enhance Cybersecurity in the Energy Sector. The funds, which are awaiting congressional approval, were awarded through the Office of Electricity Delivery and Energy Reliability's Cybersecurity of Energy Delivery Systems (CEDS) program.

[Editor Comments ]


[Murray ]
Where is strong authentication, multi-party controls, resilient design, et al.? If we cannot get the basics right, then this esoteric research is for naught.
Read more in:
ZDNet: US Dept of Energy spends $34m on securing the smart grid
-http://www.zdnet.com/article/us-dept-of-energy-spends-34m-on-securing-the-smart-
grid/
The Hill: DOE picks 12 projects for cybersecurity funds
-http://thehill.com/policy/cybersecurity/291690-doe-picks-12-projects-for-cyberse
curity-funds
Dept. of Energy: Fact Sheet: DOE Selections for the Development of Next Generation Cybersecurity Technologies and Tools (PDF)
-http://energy.gov/sites/prod/files/2016/08/f33/CEDS%20award%20selections%20Augus
t2016%20fact%20sheet%20FINAL_1.pdf

US Social Security Administration Changes Account Management Policy (August 16, 2016)

The US Social Security Administration (SSA) has reversed a recently established policy that would have required people to provide the agency with a mobile phone number to manage their benefits online. The policy was established initially so that the SSA could send authentication codes in text messages. The SSA still encourages the use of two-factor authentication with cell phones, but does not require it; SAA will offer other extra security measures by choice.
Read more in:
KrebsonSecurity: SSA: Ixnay on txt msg reqmnt 4 e-acct, sry
-http://krebsonsecurity.com/2016/08/ssa-ixnay-on-txt-msg-reqmnt-4-e-acct-sry/
New York Times: Social Security Retreats From Cellphone-Based Online Security
-http://www.nytimes.com/2016/08/19/your-money/social-security-cellphone-text-code
.html?ref=technology

Proxy Authentication Implementation Flaws Affects Multiple Products (August 17, 2016)

Vulnerabilities in the proxy authentication implementation in products from Apple, Microsoft, Oracle, and Opera could be exploited to conduct man-in-the-middle attacks. The issue, known as FalseCONNECT, lies in "HTTP/1.0 407 Proxy Authentication Required" connection requests. The issues were fixed in Apple products in iOS 9.3.3.

[Editor Comments ]


[Murray ]
We are not seeing "man-in-the-middle (session stealing) attacks." What we are seeing is the fraudulent re-play of credentials compromised to "social engineering (e.g., "phishing") attacks." Priorities, please.
Read more in:
SC Magazine: Proxy authentication flaw affects Apple, Microsoft, Oracle, Opera
-http://www.scmagazine.com/proxy-authentication-flaw-affects-apple-microsoft-orac
le-opera/article/516794/

DHS IMPACT Program Focuses on Critical Infrastructure Cybersecurity (August 18, 2016)

The US Department of Homeland Security's (DHS's) Science and Technology Directorate is releasing data sets regarding cybersecurity events in critical infrastructure. The information will be available to screened researchers through the directorate's Information Marketplace for Policy and Analysis of Cyber-risk and Trust (IMPACT) program.

[Editor Comments ]


[Murray ]
DHS is discovering what mature intelligence agencies have always known; gathering intelligence is only half the problem. Getting it safely to only those that they want to act on it is the other half. Just knowing who those parties are is difficult.
Read more in:
Federal News Radio: DHS' IMPACT tackles infrastructure-related cyber issues
-http://federalnewsradio.com/category/technology/cybersecurity/

---

INTERNET STORM CENTER TECH CORNER

Cryptoanalysis of a Fully Homomorphic Encryption Scheme
-http://eprint.iacr.org/2016/775.pdf

Recreating Android App Displays from Memory
-https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_salt
aformaggio.pdf

Various Router Exploits Released
-https://medium.com/@msuiche/shadow-brokers-nsa-exploits-of-the-week-3f7e17bdc216
#.mnoyydmeu

522 Error Code For the Win
-https://isc.sans.edu/forums/diary/522+Error+Code+for+the+Win/21377/

Short PGP Keys Abused in the Wild
-https://news.ycombinator.com/item?id=12296974

HTTP "FalseConnect" Vulnerability
-http://www.kb.cert.org/vuls/id/905344

One Compromised Site - 2 Exploit Campaigns
-https://isc.sans.edu/forums/diary/1+compromised+site+2+campaigns/21381/

Google Releases OS X Whitelisting Application
-https://github.com/google/santa/wiki

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create