SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #67

August 23, 2016

Cyber-Insurance: Successes and Failures
In light of two public cases where cyber insurance policy holders felt very badly served by their insurers (Continental Casualty Co. v. Cottage Health Systems and Travelers Property Casualty Co. of America v. Federal Recovery Services Inc.) it seems appropriate to use SANS' consensus capabilities to find out what works and what doesn't in cyber insurance. If you have an example of a cyber insurance policy not paying for losses caused by an intrusion, please join the discussion by sending me a note with a few details (apaller@sans.org).
Alan

---

TOP OF THE NEWS

NASA CIO Lets Network Cybersecurity Authorization Expire
Report: Which Android Manufacturers Push Out Updates Most Quickly?

THE REST OF THE WEEK'S NEWS

Some Healthcare Providers Not Encrypting Data in Transit
Australian Teen Will Not be Jailed for DDoS Attacks
Code Found in Snowden Docs Matches Code in Leaked NSA Exploits
FTC Will Host Ransomware Panel Discussions
Senators Seek IT Systems Security and Reliability Information from Airlines
NSA Had Access to Cisco PIX VPNs for Years
Eddie Bauer Point-of-Sale Breach

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

************************ Sponsored By Sophos *************************

Got malware lurking in your system? Find out with this on-demand tool that detects and cleans up anything your existing anti-malware has missed. Advanced malware can hide in your system for years - stealing data and compromising your organization. Stay protected and get your free malware scan. Learn more:
http://www.sans.org/info/188222

***************************************************************************

TRAINING UPDATE

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 |
https://www.sans.org/event/brussels-autumn-2016

--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 |
https://www.sans.org/event/crystal-city-2016

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 |
https://www.sans.org/event/network-security-2016

--SANS London Autumn 2016 | London, UK | September 19-24 |
https://www.sans.org/event/london-autumn-2016

--Security Leadership Summit & Training | Dallas, TX | September 27 - October 4, 2016 |
https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA |
https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic |
https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD |
https://www.sans.org/event/baltimore-2016

--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan |
https://www.sans.org/event/tokyo-autumn-2016

--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA
https://www.sans.org/event/tysons-corner-2016

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |
https://www.sans.org/event/san-diego-2016

---

TOP OF THE NEWS

NASA CIO Lets Network Cybersecurity Authorization Expire (August 22, 2016)

NASA's CIO has allowed cybersecurity authorization for one of the agency's main networks to expire. Renee Wynn did not sign off on the network's authority to operate (ATO) due to a host of security issues. The network is managed by Hewlett Packard Enterprises. An unnamed source familiar with NASA's IT environment says the problem lies in contracting errors, and that "by including only general security clauses, they left a security hole that catalyzed the massive security problems at NASA."

[Editor Comments ]

[Pescatore ]
It is good to see a CIO take such a highly visible step to indicate business as usual without basic security hygiene cannot continue. All too often this type of publicity only occurs *after* a major breach. Nearly all of the large government basic purchase order/indefinite delivery, indefinite quantity (IDIQ) procurement vehicles should be reviewed to make sure they include simple, well proven approaches to assuring hardware and software is bought in the most secure configuration and design as possible.

[Murray ]
The persistent failure of Government systems suggests that Federal managers have authorized the operation of many systems that they should not have. The default has been "when in doubt, authorize." It is for making such courageous and unpopular decisions that executives are paid the big bucks.

[Northcutt ]
This is a pretty big deal, a number of people are saying unprecedented. Here are links to the press release from the 2010 contract, the ACES home page and a story, also from Jason Miller in March pointing to this event:
-http://www.nasa.gov/home/hqnews/2010/dec/HQ_C10-080_ACES.html
-http://www.hq.nasa.gov/office/itcd/ACES.html
-http://federalnewsradio.com/cybersecurity/2016/03/widespread-neglect-puts-nasas-
networks-jeopardy/


[Shpantzer ]
There are many cases of nightmarish multi-year government outsourcing contracts that end up leaving the CISO stuck without the ability to perform even basic security tasks such as scanning and patching, and that's during normal operations, not during an incident. After the contract is signed, these tasks, if not already included, become expensive change orders.
Read more in: Federal News Radio: NASA's 'act of desperation' demonstrates continued cyber deficiencies
-http://federalnewsradio.com/reporters-notebook-jason-miller/2016/08/nasas-act-de
speration-demonstrates-continued-cyber-deficiencies/

Report: Which Android Manufacturers Push Out Updates Most Quickly? (August 19, 2016)

According to a report from Apteligent, Motorola pushed out Android fixes more quickly than any other manufacturer except for Google's Nexus devices, which receive the updates the day they are released. The study looked at the amount of time it took for manufacturers to upgrade devices from Android 5.x Lollipop to Android 6.0 Marshmallow. Android 6.0 Marshmallow was released on October 5, 2015; manufacturers took between three and five months to push out updates for all devices.

[Editor Comments ]

[Ullrich ]
Many recent high profile vulnerabilities, like the hyped "Quadrooter" issue, are mostly mitigated in the most recent versions of Android. But with Google having no control over when updates are installed for the majority of the user base, users remain exposed due to the time it takes for updates to reach users. You should review the update history of particular device manufacturers before committing to a particular phone. One source of such data is
-http://www.computerworld.com/article/3052937/android/android-upgrade-report-card
-marshmallow.html
Some manufacturers will also "end of life" phones earlier then others.

[Pescatore ]
Many, if not most, of these updates are feature updates vs. security updates. Users who leave the default setting on Android phones to "only use apps through the Play store" have decent (not perfect) protection against malware trying to exploit Android OS vulnerabilities. That said, the mobile phone industry needs to be more like the browser industry and speed up the push out of vulnerability fixes.
Read more in: The Register: Two-speed Android update risk: Mobes face months-long wait
-http://www.theregister.co.uk/2016/08/19/android_update_risk/
Apteligent: Data Report: Android Manufacturer Edition (PDF)
-https://data.apteligent.com/download-report?report=apteligent-data-report-july-2
016.pdf

---

*************************** SPONSORED LINKS *****************************
1) Hunting 101 - Back to Basics: Implementing a Proactive Cyber Hunting Approach. Thursday, September 8th, 2016 at 1:00 PM Eastern with Brad Mecha and Dave Shackleford. Register: http://www.sans.org/info/188227

2) What overall system and security lifecycle practices are working and which ones aren't? Register to find out: http://www.sans.org/info/188232

3) What are your vulnerabilities? Do you even know? Take SANS survey and enter to win a $400 Amazon Gift Card. Take the survey HERE: http://www.sans.org/info/187750
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Some Healthcare Providers Not Encrypting Data in Transit (August 22, 2016)

According to a survey from the Healthcare Information Management Systems Society (HIMSS), roughly one-third of hospitals, and more than half of non-acute healthcare providers do not encrypt patient data while in transit. Just over 60 percent of acute providers and 48 percent of non-acute providers do encrypt patient data while on their systems.

[Editor Comments ]

[Shpantzer ]
Quick guide for auditors: Step 1: Install Wireshark on Windows desktop (operate it as a user, not admin) with a couple of terabytes available in storage. Step 2: Grab a packet capture from a relevant part of the network for 30-60 minutes (depends on how busy the network is...) Step 3: Save file and name it "Where is TLS 1.2" Step 4: Open the file and sort by protocol, then go over this with someone who knows a bit about Wireshark.
Read more in: Computerworld: Many hospitals transmit your health records unencrypted
-http://www.scmagazine.com/2fa-flaw-in-paypals-login-portal-fixed/article/517458/
HIMSS: 2016 HIMSS Cybersecurity Survey (PDF)
-http://www.himss.org/sites/himssorg/files/2016-cybersecurity-report.pdf

Australian Teen Will Not be Jailed for DDoS Attacks (August 21 and 22, 2016)

An Australian teenager who pleaded guilty to launching distributed denial-of-service (DDoS) attacks against a bank, a school and the Australian Cybercrime Reporting network, will not go to jail. The judge sentenced the 15-year-old to a "family conference," which means that "the court leaves the punishment to the family and a supervising youth police officer, who must agree with the punishment in order to consider the matter closed."
Read more in: SC Magazine: Aussie teen let off the hook after initiating multiple DDoS attacks
-http://www.scmagazine.com/aussie-teen-let-off-the-hook-after-initiating-multiple
-ddos-attacks/article/517667/
Softpedia: Teen Avoids Jail Time After DDoSing Australia's Biggest Bank & E-Crime Portal
-http://news.softpedia.com/news/teen-avoids-jail-time-after-ddosing-australia-s-b
iggest-bank-e-crime-portal-507510.shtml

Code Found in Snowden Docs Matches Code in Leaked NSA Exploits (August 19, 2016)

NSA documents leaked by Edward Snowden in 2013 contain a tracking string that matches strings found in the samples of spy tool files released by a group claiming to have stolen them from The Equation Group, which has links to the NSA. One of the documents Snowden leaked was a draft manual about a man-in-the-middle malware tool called SECONDDATE. The manual calls for deployments of the malware to be tracked with an identification string, which was also found in files released by the data thieves.

[Editor Comments ]

[Ullrich and Paller ]
It is highly unlikely that this is the first time that tools left behind by NSA operations have been captured. "Cyber" weapons, unlike bullets and bombs, are not destroyed when they are used.
Read more in: The Register: Snowden files confirm Shadow Brokers spilled NSA's Equation Group spy tools over the web
-http://www.theregister.co.uk/2016/08/19/snowden_docs_shadow_brokers_nsa_exploits
/
Computerworld: Shared code in Snowden leaks and NSA breach back up hackers' claims
-http://www.computerworld.com/article/3109551/security/shared-code-in-snowden-lea
ks-and-nsa-breach-back-up-hackers-claims.html
CNET: New Snowden docs support claim of NSA cyberweapon hack
-http://www.cnet.com/news/new-snowden-docs-support-claim-of-nsa-cyberweapon-hack/

FTC Will Host Ransomware Panel Discussions (August 19, 2016)

Next month, the US Federal Trade Commission (FTC) will host three panel discussions on ransomware to help organizations and consumers protect their computers. The event is scheduled for September 7 at 1:00PM ET and will be webcast from the FTC site.
Read more in: Computerworld: Ransomware attracts FTC attention
-http://www.computerworld.com/article/3109947/cybercrime-hacking/ransomware-attra
cts-ftc-attention.html
FTC: Fall Technology Series: Ransomware
-https://www.ftc.gov/news-events/events-calendar/2016/09/fall-technology-series-r
ansomware

Senators Seek IT Systems Security and Reliability Information from Airlines (August 19, 2016)

Two US senators have asked major airlines for details of their IT systems and the policies and procedures they have established to manage outages and cyberattacks. Senators Edward Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) wrote that they "are concerned with recent reports indicating that airlines' IT systems may be susceptible to faltering because of the way they are designed and have been maintained." Markey and Blumenthal's concerns include airline mergers that combine different systems and the use of outdated technology.

[Editor Comments ]

[Williams ]
The problem of securely integrating heterogeneous equipment during mergers and acquisitions (M&A) is not specific to airlines - though their outages are particularly visible. When networks are merged during M&A, the focus is almost always on usability first, with security being an afterthought. Security architects should be involved in this process from start to finish. Even if their recommendations aren't adopted, their early involvement allows architects to document the "as built" network and help the SOC develop monitoring strategies for security pain points.
Read more in: FCW: Lawmakers call on major airlines to fix IT issues
-https://fcw.com/articles/2016/08/19/airline-it-congress.aspx
Senate: Letter from Markey and Blumenthal to Airlines (PDF)
-http://www.markey.senate.gov/imo/media/doc/Delta.pdf

NSA Had Access to Cisco PIX VPNs for Years (August 19, 2016)

Among the NSA tools that were recently leaked is an exploit for a vulnerability in Cisco's PIX equipment. Known as BENIGNCERTAIN, the tool helps those who have it determine the digital keys to gain access to virtual private networks that use PIX equipment. It appears that the NSA has had access to these VPNs since the early 2000s. Cisco no longer sells or supports PIX products.

[Editor Comments ]

[Williams ]
It's not just NSA that may have had the keys. Whoever controlled the code in the Shadow Brokers dump has likely had been using it for the last 3 years as well. Don't just evaluate whether you have a PIX in place today. Have you ever had a PIX in place (particularly for the last 3 years)? We are recommending that customers create ACLs to restrict IKE traffic to authorized hosts. IKE is an extremely complicated protocol and more bugs of this nature are likely to be discovered.
Read more in: Washington Post: The latest NSA leak shows why it's so hard to trust even tech designed to keep computers safe
-https://www.washingtonpost.com/news/the-switch/wp/2016/08/19/the-latest-nsa-leak
-shows-why-its-so-hard-to-trust-even-tech-designed-to-keep-computers-safe/
Ars Technica: How the NSA snooped on encrypted Internet traffic for a decade
-http://arstechnica.com/security/2016/08/cisco-firewall-exploit-shows-how-nsa-dec
rypted-vpn-traffic/

Eddie Bauer Point-of-Sale Breach (August 18 and 19, 2016)

Clothing and outdoor retailer Eddie Bauer has acknowledged that point-of-sale (POS) systems at all its stores in North America were infected with malware. The malware has been removed, but any payment card used at any North American Eddie Bauer store between January 2, 2016 and July 17, 2016 is at risk.

[Editor Comments ]

[Murray ]
This is merely this week's evidence that we must get rid of mag-stripes and credit card numbers in the clear. A retail payment system that relies for its integrity on the security of millions of merchants is fundamentally flawed. We know what the solution looks like (cardless, contactless, and (credit card account) numberless) but we cannot get there as long as backward compatibility trumps security and integrity.
Read more in: KrebsonSecurity: Malware Infected All Eddie Bauer Stores in US, Canada
-http://krebsonsecurity.com/2016/08/malware-infected-all-eddie-bauer-stores-in-u-
s-canada/
Dark Reading: Eddie Bauer Reports Intrusion Into Point Of Sale Network
-http://www.darkreading.com/attacks-breaches/eddie-bauer-reports-intrusion-into-p
oint-of-sale-network/d/d-id/1326686?
The Register: Shopped in an Eddie Bauer store recently? Your card's probably gone. It's just gone
-http://www.theregister.co.uk/2016/08/19/eddie_bauer_becomes_latest_retailer_stru
ck_by_pos_malware/
Computerworld: Eddie Bauer is latest retailer to be hit by point-of-sale malware
-http://www.computerworld.com/article/3109521/security/eddie-bauer-is-latest-reta
iler-to-be-hit-by-point-of-sale-malware.html
Kroll: Open Letter to the Eddie Bauer Community from M. Egeck, CEO
-http://cardnotification.kroll.com/

---

INTERNET STORM CENTER TECH CORNER

GnuPG/libgcrypt Weak Random Numbers (CVE-2016-6316)
-https://lists.gnupg.org/pipermail/gnupg-announce/2016q3/000395.html

Wikileaks Leaked E-Mail Includes Malware
-https://github.com/bontchev/wlscrape/blob/master/malware.md

Android Vulnerable to TCP Connection Hijack
-https://blog.lookout.com/blog/2016/08/15/linux-vulnerability-android/

Cerber Ransomware Decryption Tool No Longer Operational
-https://www.cerberdecrypt.com/RansomwareDecryptionTool/

Multiple Vulnerabilities in BHU Router
-http://blog.ioactive.com/2016/08/multiple-vulnerabilities-in-bhu-wifi.html

Smart Socket Vulnerability
-https://labs.bitdefender.com/2016/08/hackers-can-use-smart-sockets-to-shut-down-
critical-systems/

Smart Security Cameras are Spying on You
-http://www.forbes.com/sites/marcwebertobias/2016/08/22/is-your-smart-security-ca
mera-protecting-your-home-or-spying-on-you/#6fb3a6414d1e

Veracrypt 1.18a With Limited UEFI Support
-https://veracrypt.codeplex.com/releases/view/625477

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create