SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #7

January 26, 2016

TOP OF THE NEWS

FBI Network Investigation Technique Helps Uncover Tor Users' Identities
Fortinet SSH Backdoor
New US Government Agency Will Handle Background Checks

THE REST OF THE WEEK'S NEWS

OpenSSL Patch On the Way
Philips Calls Off LumiLEDs Sale After US Regulator Rejects Deal
Magento Update
UVa Discloses Human Resources System Breach
Irish Government Websites Targeted in DDoS Attacks
Google Updates Chrome to Version 48
AMX Harman Says it Did Not Hide Backdoor
HD Moore leaving Rapid7 for Venture Capital

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Lancope **************************

Accelerate Incident Response with NetFlow Analysis - FREE DUMMIES eBOOK! Download our latest eBook to learn best practices for building an effective incident response team, process, and toolkit. In addition, learn how NetFlow analysis can accelerate incident response by delivering complete network visibility to discover, investigate, and counteract a wide variety of cyberattacks!
http://www.sans.org/info/183002

***************************************************************************

TRAINING UPDATE

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 4 courses.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

FBI Network Investigation Technique Helps Uncover Tor Users' Identities (January 21 and 22, 2016)

According to an anonymous source in the Washington Post, the FBI used spyware to uncover information leading to the identification of people using the Tor network. Last year, the FBI seized an illicit website that was hidden through the Tor network, but allowed the site to operate for nearly two weeks so agents could activate malware to identify and gather evidence to prosecute those operating the site. A federal court had authorized the use of the network investigative technique. The FBI used the same technique to seize TorMail in 2013.
-https://www.washingtonpost.com/world/national-security/how-the-government-is-usi
ng-malware-to-ensnare-child-porn-users/2016/01/21/fb8ab5f8-bec0-11e5-83d4-42e3bc
eea902_story.html?postshare=6721453401674096&tid=ss_tw
-http://arstechnica.com/tech-policy/2016/01/after-fbi-briefly-ran-tor-hidden-chil
d-porn-site-investigations-went-global/
-http://www.scmagazine.com/fbi-faces-allegations-of-infecting-innocent-tormail-us
ers-with-spyware/article/466942/
-http://motherboard.vice.com/read/fbi-may-have-hacked-innocent-tormail-users

Fortinet SSH Backdoor (January 22, 23 and 25, 2016)

Fortinet has acknowledged that an SSH backdoor detected in some of its products exists in some of the company's new products as well. The accounts with a hardcoded password are "remote management" features, according to Fortinet.
-http://www.theregister.co.uk/2016/01/23/thought_you_were_safe_from_the_fortinet_
backdoor_think_again/
-http://www.computerworld.com/article/3025913/security/fortiguard-ssh-backdoor-fo
und-in-more-fortinet-security-appliances.html
-http://arstechnica.com/security/2016/01/secret-ssh-backdoor-in-fortinet-hardware
-found-in-more-products/
-http://www.govinfosecurity.com/fortinet-finds-more-ssh-backdoors-a-8826
-http://www.scmagazine.com/fortinet-on-ssh-vulnerabilities-look-this-really-isnt-
a-backdoor-honest/article/467066/
[Editor's Note (Ullrich): This vulnerability has been heavily probed and it needs to be addressed as soon as possible. An exploit is trivial if the attacker is able to connect to a vulnerable firewall. (Honan): I hope that all network equipment vendors upon hearing this news about the backdoor in Fortinet's products and the news earlier this year about similar issues with some of Juniper's systems will now carry out a comprehensive audit of all their code and remove any such weaknesses. ]

New US Government Agency Will Handle Background Checks (January 22 and 25, 2016)

The White House has announced that a new agency will assume the job of conducting background checks on contractors and government employees. The Office of Personnel Management's (OPM) Federal Investigative Services (FIS) will become part of the National Background Investigations Bureau (NBIB). "The Department of Defense will assume the responsibility for the design, development, security, and operation of the background investigations IT systems for the NBIB."
-https://fcw.com/articles/2016/01/22/nbib-clearance-noble.aspx
-https://www.whitehouse.gov/blog/2016/01/22/way-forward-federal-background-invest
igations
-http://www.nextgov.com/cybersecurity/2016/01/after-opm-hack-pentagon-store-and-s
ecure-sensitive-security-clearance-docs/125338/?oref=ng-HPtopstory
-http://thehill.com/policy/cybersecurity/266721-pentagon-will-secure-opm-backgrou
nd-checks-after-hacks
-http://www.v3.co.uk/v3-uk/news/2443093/us-government-changes-personnel-data-proc
essing-after-opm-hack
[Editor's Note (Ullrich): Building large targets will lead to large leaks. Moving the target from one organization to another will not help unless the data is managed better. Data management needs to include a retention policy that removes raw data from online access after its immediate usefulness for an ongoing investigation expired. (Honan): Renaming an organisation after it suffers a security breach may be one way to protect brand reputation, but the fundamentals of good and effective security still cannot be overlooked. I hope the security budget for this new organisation is much bigger than its rebranding budget. ]

---

************************** SPONSORED LINKS ********************************
1) Securing Your IoT | Live Webinar - Join us as we discuss the IoT phenomenon, and provide takeaways to help you start securing your network in 2016. http://www.sans.org/info/183007

2) What Works in Threat Prevention: Detecting and Stopping Attacks more accurately and Quickly with ThreatSTOP. Friday, February 12, 2016 at 1:00 PM EST (18:00:00 UTC) with John Pescatore and Ken Compres. http://www.sans.org/info/183012

3) Risky Business: Evaluating the True Risk to your Security Program. Monday, February 08, 2016 at 1:00 PM EST (18:00:00 UTC) with Johannes Ullrich and Mike Goldgof. http://www.sans.org/info/183017
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

OpenSSL Patch On the Way (January 25, 2016)

OpenSSL plans to release versions 1.0.2f and 1.0.1r to address two security issues in the open source implementations of the SSL and TLS protocols. The patches will be released on Thursday, January 28, 2016. Users should note that support for OpenSSL versions 1.0.0 and 0.9.8 expired at the end of 2015. Version 1.0.1 will be supported through the end of 2016; version 1.0.2 will be supported through the end of 2019.
-http://www.zdnet.com/article/vital-openssl-patch-coming/
-http://www.infosecurity-magazine.com/news/openssl-to-patch-a-highseverity/
-https://mta.openssl.org/pipermail/openssl-announce/2016-January/000058.html
[Editor's Note (Ullrich): The vulnerabilities to be patched are rated "high" and "low", but not "critical" which is OpenSSL's most severe rating. Likely not an emergency patch. ]

Philips Calls Off LumiLEDs Sale After US Regulator Rejects Deal (January 22 and 25, 2016)

A US government interagency committee has blocked the sale of a majority interest of company that makes widely used LED lights to a capital group that includes Chinese companies. Philips, which owns LumiLEDs, "was not permitted to disclose the nature of the concerns raised by the Committee on Foreign Investment in the United States. While LumiLEDs is based in California, Philips, the parent company, is Dutch.
-http://www.computerworld.com/article/3026198/security/us-invokes-national-securi
ty-to-stop-sale-of-philips-led-unit-to-chinese.html
-http://fortune.com/2016/01/22/u-s-kills-philips-lumileds-sale-and-no-one-knows-w
hy/
-http://www.bloomberg.com/news/articles/2016-01-22/philips-scraps-lumileds-sale-t
o-go-scale-on-u-s-opposition

Magento Update (January 25, 2016)

Magento has issued an update for its ecommerce content management system to fix a pair of critical flaws that could be exploited to launch cross-site scripting (XSS) attacks. XXS attacks can be used to gain elevated privileges, steal data, and take control of vulnerable websites. The update also addresses RSS-based information leaks, brute force attack vulnerabilities, and others.
-http://www.zdnet.com/article/magento-update-fixes-critical-xss-flaws/
-http://arstechnica.com/security/2016/01/bug-in-magento-puts-millions-of-e-commer
ce-merchants-at-risk-of-takeover/
-https://blog.sucuri.net/2016/01/security-advisory-stored-xss-in-magento.html
">
-https://blog.sucuri.net/2016/01/security-advisory-stored-xss-in-magento.html

[Editor's Note (Williams): One of the vulnerabilities fixed in this patch is a stored XSS flaw which is present in the administration panel. Stored XSS generally represents a more significant risk to users than reflective XSS. This is definitely a "patch now" vulnerability as it can exploited during customer registration and compromises those logged in as admin. Original write-up on the vulnerability can be found here:
-https://blog.sucuri.net/2016/01/security-advisory-stored-xss-in-magento.html
">
-https://blog.sucuri.net/2016/01/security-advisory-stored-xss-in-magento.html
]

UVa Discloses Human Resources System Breach (January 25, 2016)

The University of Virginia (UVa) has disclosed that a breach of a human resources system component compromised employee data. A phishing attack yielded credentials that allowed the attackers access to the system. The compromised data include W-2 tax forms for 2013 and 2014 for 1,400 employees. A small number of employees' direct deposit information was also compromised. The FBI investigated and authorities have arrested suspects in the case.
-http://www.zdnet.com/article/university-of-virginia-data-breach-exposed-financia
l-data/
-http://www.scmagazine.com/phishing-attack-exposes-1400-w-2s-at-uva/article/46722
5/
-http://www.virginia.edu/informationsecurity/Jan-22-incident-FAQs/

Irish Government Websites Targeted in DDoS Attacks (January 22, 2016)

Several Irish government websites were hit with distributed denial-of-service (DDoS) attacks on Friday morning, January 22. The sustained attack prevented people from accessing the Health Service Executive, Department of Defence, Court Service, Department of Justice, and Central Statistics sites, among others. The sites were back online later that afternoon.
-http://www.irishtimes.com/business/technology/government-websites-taken-down-by-
sustained-cyber-attack-1.2506798
-http://www.bbc.com/news/world-europe-35379817
-http://thehill.com/policy/cybersecurity/266689-irish-government-hit-by-sustained
-cyberattack
-http://www.theregister.co.uk/2016/01/22/irish_gov_ddos/

Google Updates Chrome to Version 48 (January 22, 2016)

Google Chrome has been updated to version 48. The newest stable version of the browser includes fixes for 37 issues, two of which were rated high risk.
-http://www.scmagazine.com/google-updates-chrome-to-stable-channel-issues-patches
/article/466472/
[Editor's Note (Murray): Every new browser touts its security. As it incorporates Flash and similar legacy features, its security approaches that of its competitors. ]

AMX Harman Says it Did Not Hide Backdoor (January 22, 2016)

AMX Harman says that the backdoor reportedly found in many of the company's products is nothing more than an old diagnostic login to help with customer support. The company acknowledged that last summer, it "determined that it would be prudent to eliminate this feature as part of a comprehensive software update." That update was released in December 2015. AMX Harman makes audio-visual and building control equipment.
-http://www.darkreading.com/risk/amx-harman-disputes-deliberately-hiding-backdoor
-in-its-products/d/d-id/1324029?
-http://arstechnica.com/security/2016/01/media-devices-sold-to-feds-have-hidden-b
ackdoor-with-sniffing-functions/
[Editor's Note (Ullrich): What they did is paint a backdoor that used to be red green, and they hoped nobody would find it anymore. Do they really expect anybody to be fooled into believing that AMX/Harman have any clue how to build secure remotely accessible devices? (Murray): It seems that programmers are highly resistant to transferring control to their employers and their customers. If they insist upon maintaining backdoors, perhaps we should teach them to do it in such a way as to minimize the risk to the rest of us. (Williams): Given the proliferation of AMX devices in board rooms and conference rooms, organizations should look to determine if they are patched. The best technical writeup on the vulnerability discovery can be found here:
-http://blog.sec-consult.com/2016/01/deliberately-hidden-backdoor-account-in.html]

HD Moore leaving Rapid7 for Venture Capital (Sept. 21, 2016)

HD Moore, perhaps best known for the creation of Metasploit will leave the security company Rapid7 where he has worked for six years to enter the world of cybersecurity startups. The change will happen later this month. - -
-https://threatpost.com/hd-moore-to-build-new-venture-capital-firm/115969/
[Editor's Note (Northcutt): Quite a career. If I remember right he did not have his driver's license when he did a webcast with Rob Kolstadt and myself at SANS in 1999:
-http://seclists.org/nmap-announce/1999/202]

---

STORM CENTER TECH CORNER

Extracting PCAPs From Memory
-https://isc.sans.edu/forums/diary/Extracting+pcap+from+memory/20639/

Dealing With Obfuscated MIME Files
-https://isc.sans.edu/forums/diary/Obfuscated+MIME+Files/20643/

Indian Banks Hit By Ransomware
-http://news.softpedia.com/news/lechiffre-ransomware-hits-three-indian-banks-caus
es-millions-in-damages-499350.shtml

RSA Conferences Asks For Plaintext Twitter Passwords
-http://www.theregister.co.uk/2016/01/22/bad_form_rsa_sucking_up_suckers_twitter_
logins_for_confab_blab/

Cisco unauthenticated CGI Script "Backdoor"
-http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
160120-ucsm

Assessing Remote Certificates With Powershell
-https://isc.sans.edu/forums/diary/Assessing+Remote+Certificates+with+Powershell/
20645/

Apple Updates
-https://www.intego.com/mac-security-blog/apple-updates-xprotect-to-detect-micros
oft-silverlight-exploit/
-https://support.apple.com/en-us/HT205729

Paypal Exploitable Via Java Deserialization Vulnerability
-http://artsploit.blogspot.com/2016/01/paypal-rce.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/