SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #77

September 27, 2016

TOP OF THE NEWS

DHS's Ozment: Cybersecurity Cannot be Centralized
German Political Parties Hacked
Bill Would Punish Agency Heads for Breaches

THE REST OF THE WEEK'S NEWS

KrebsonSecurity Back Online
Komplex Trojan Targets Machines Running Mac OS X
Discover Financial Reports Data Breaches
20-Year Sentence in Cyberterrorism Case
OpenSSL Patches Updates it Just Released
RTCA Gives FAA Aviation Industry Draft Cybersecurity Guidelines
FTC Data Breach Recovery Advice
Cisco Warns of Critical Vulnerability In Cloud Services

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored By Sophos Inc. **********************

Now Available: Sophos Intercept X, an anti-exploit product designed to stop ransomware before it takes hold of your system. Born next-gen, Sophos Intercept X offers an additional layer of protection and totally new approach to endpoint security. See it in action:
http://www.sans.org/info/188652

***************************************************************************

TRAINING UPDATE

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA | https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic | https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD | https://www.sans.org/event/baltimore-2016

--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan | https://www.sans.org/event/tokyo-autumn-2016

--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA | https://www.sans.org/event/tysons-corner-2016

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA | https://www.sans.org/event/san-diego-2016

--Pen Test HackFest Summit & Training | November 2-9, 2016 | Crystal City, VA | https://www.sans.org/event/pen-test-hackfest-2016

--Healthcare Cybersecurity Summit & Training | November 14-21, 2016 | Houston, TX | https://www.sans.org/event/healthcare-cyber-security-summit-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

***************************************************************************

---

TOP OF THE NEWS

DHS's Ozment: Cybersecurity Cannot be Centralized (September 20, 2016)

The US Department of Homeland Security's (DHS's) assistant secretary for cybersecurity and communications says that responsibility for cybersecurity cannot be centralized and needs to be shared. Speaking earlier this month on a panel discussion at the National Press Club, Andy Ozment said, "Cyberspace and thus cybersecurity are touching every aspect of American lives," and "every aspect of government has to be dealing with cybersecurity."


[Editor Comments ]



[Pescatore ]
My favorite quote about centralization is from Karl Weick, a professor at the University of Michigan: "The real trick in highly reliable systems is somehow to achieve simultaneous centralization and decentralization." In security, that usually means a strong CISO with a skilled security team that is able to work with IT and business operations to make the "decentralized" part actually happen. Doing this needs to be Job 1 for the incoming Federal CISO.


[Murray ]
Line managers are responsible for the security of the resources (e.g., people, property, networks, systems, applications, data) allocated to them to accomplish their mission. They use security staff to help (articulate standards and guidelines, measures, and reports) them do that. In the traditional hierarchical organization staff repeats at every level, takes functional guidance from the staff above, but is responsible to their line manager for results and use of resources.

Read more in:

FCW: Ozment: Cybersecurity can't be centralized
-https://fcw.com/articles/2016/09/20/ozment-cyber-central.aspx

German Political Parties Hacked (September 21, 2016)

Authorities in Germany are investigating a series of cyberattacks targeting members of Parliament (MPs) and political parties. The country's agency that oversees cybersecurity believes the attacks originated in Russia and may be related to similar attacks against the DNC in the US.

Read more in:

Telegraph: Russia blamed for hacking attack on German MPs
-http://www.telegraph.co.uk/news/2016/09/21/russia-blamed-for-hacking-attack-on-g
erman-mps/

Bill Would Punish Agency Heads for Breaches (September 21, 2016)

Legislation introduced in the US House of Representatives would allow for agency heads to be punished in the event of certain security breaches. The Cybersecurity Responsibility and Accountability Act of 2016 would allow the Office of Management and Budget (OMB) to recommend demotion, pay penalties, or even firing if a breach is found to be due to the agency head's failure "to comply sufficiently with the information security requirements, recommendations, or standards."

Read more in:

Nextgov: Cyber Bill Would Let Agency Heads be Fired if There's a Data Breach
-http://www.nextgov.com/cybersecurity/2016/09/cyber-bill-would-let-agency-heads-b
e-fired-if-theres-data-breach/131735/

---

*************************** SPONSORED LINKS *****************************
1) Read why Splunk was named a Leader in the 2016 Gartner Magic Quadrant for SIEM. http://www.sans.org/info/188672

2) Live Webcast: Stop Ransomware Before it Strikes Your Organization ñ Register Today! http://www.sans.org/info/188662

3) In case you missed it: "Hardening Microservices Security: Building a Layered Defense Strategy" with Dave Hoelzer and Matthew Silverlock. http://www.sans.org/info/188667
******************************************************************************

---

THE REST OF THE WEEK'S NEWS

Komplex Trojan Targets Machines Running Mac OS X (September 26, 2016)

Researchers at Palo Alto Networks' Unit 42 Team have discovered a Trojan designed to infect computers running Mac OS X. The Komplex Trojan appears to be targeting organizations in the aerospace industry. Komplex exploits a flaw in the MacKeeper antivirus application to infect computers. It is capable of downloading, executing, and deleting files.


[Editor Comments ]



[Shpantzer ]
It's past time to have detection mechanisms for OS X. OSQuery, Carbon Black and others are available for OS X. The scale issue revolves around who knows OS X security well enough to process the logs, which is where specialized managed services come into place for all but the well-staffed security teams.

Read more in:

Dark Reading: Russian 'Fancy Bear' Hackers Hit Mac OS X With New Trojan
-http://www.darkreading.com/operations/russian-fancy-bear-hackers-hit-mac-os-x-wi
th-new-trojan/d/d-id/1327016?

Computerworld: New Mac Trojan uses the Russian space program as a front
-http://www.computerworld.com/article/3124628/security/new-mac-trojan-uses-the-ru
ssian-space-program-as-a-front.html

Palo Alto Networks: Sofacy's 'Komplex' OS X Trojan
-http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-t
rojan/

Discover Financial Reports Data Breaches (September 26, 2016)

On September 23, 2016, Discover Financial Service reported three data breaches to the California Attorney General's Office. The breaches occurred in June and October of 2015. Earlier this year, Discover reported two other breaches, from February 2014 and August 2015.

Read more in:

SC Magazine: Discover Financial Services reports three data breaches to California AG
-http://www.scmagazine.com/discover-reports-second-set-of-breaches-this-year/arti
cle/524838/

20-Year Sentence in Cyberterrorism Case (September 23 and 26, 2016)

A US federal judge has sentenced Ardit Ferizi "to 20 years in prison for providing material support to the Islamic State of Iraq and the Levant, accessing a protected computer without authorization and obtaining information." Ferizi admitted he gained administrator access to a server hosting an unnamed US company. The server contained databases with the company's customers' personally identifiable information. Ferizi sifted through the data for records belonging to members of the US military. This case is the first in which someone was been prosecuted for cyber crimes related to terrorism.


[Editor Comments ]



[Pescatore ]
The term "cyberterrorism" is used too often, especially in headline hype, as is the case here. There is no charge of "cyberterrorism." Adding the "accessing a protected computer without authorization..." charge added five years to the 20 years maximum of the "providing material support to a designated foreign terrorist organization..." charge. The vulnerabilities exploited didn't care how the stolen information would be used - basic security hygiene would have prevented the access.

Read more in:

Federal Times: Hacker charged with cyber terrorism gets 20 years
-http://www.federaltimes.com/articles/hacker-charged-with-cyber-terrorism-gets-20
-years

ZDNet: Hacker who leaked US military 'kill list' for ISIS sent behind bars
-http://www.zdnet.com/article/hacker-who-leaked-us-military-kill-list-for-isis-se
nt-behind-bars/

DoJ: ISIL-Linked Kosovo Hacker Sentenced to 20 Years in Prison
-https://www.justice.gov/opa/pr/isil-linked-kosovo-hacker-sentenced-20-years-pris
on

OpenSSL Patches Updates it Just Released (September 23, 25, and 26 2016)

Last week, the OpenSSL Project has released security updates to fix at least a dozen flaws in the cryptographic library. Two of the patches were found to contain security issues of their own, and the OpenSSL Project has released fixes for those patches. One of the new patches fixes a dangling pointer vulnerability; the other remedies an omitted a certificate revocation list (CRL) sanity check.

Read more in:

SC Magazine: OpenSSL patches 14 vulns, including high-severity flaw that can be exploited for DoS
-http://www.scmagazine.com/openssl-patches-14-vulns-including-high-severity-flaw-
that-can-be-exploited-for-dos-attacks/article/524787/

The Register: OpenSSL swats a dozen bugs, one notable nasty
-http://www.theregister.co.uk/2016/09/23/openssl_swats_a_dozen_bugs_one_notable_n
asty/

The Register: Patch AGAIN: OpenSSL security fixes now need their own security fixes
-http://www.theregister.co.uk/2016/09/26/openssl_patches_last_weeks_patch/

ZDNet: Sloppy programming leads to OpenSSL woes
-http://www.zdnet.com/article/sloppy-programming-leads-to-openssl-woes/

RTCA Gives FAA Aviation Industry Draft Cybersecurity Guidelines (September 23 and 26, 2016)

The Radio Technical Commission for Aeronautics (RTCA) has created draft cybersecurity regulations for the aviation industry. The draft guide was provided to the US Federal Aviation Administration (FAA) to help it establish appropriate standards for aviation equipment on the ground and in the air.


[Editor Comments ]



[Pescatore ]
There seems to be an appropriate level of attention going to making sure security is built into on-board systems and in the air traffic control network. But a while back PwC issued a report that mentioned an area that has worried me that doesn't seem to get getting enough attention - the use by pilots of "Electronic Flight Bags" which are essentially tablets that have replaced a lot of written documents. EFBs are carried around by pilots and have both wireless and wired access to onboard system when used in the cockpit. I hope the RTCA includes those in the drafting regulations.

Read more in:

Dark Reading: Advisory Body Calls For Stringer Cybersecurity Measures Across Airline Industry
-http://www.darkreading.com/risk/advisory-body-calls-for-stronger-cybersecurity-m
easures-across-airline-industry/d/d-id/1327002?

SC Magazine: RTCA airline recs aim to strengthen aviation cybersecurity
-http://www.scmagazine.com/rtca-airline-recs-aim-to-strengthen-aviation-cybersecu
rity/article/524973/

FTC Data Breach Recovery Advice(September 21 and 23, 2016)

The US Federal Trade Commission (FTC) has released a video offering advice for users whose personal information has been compromised. The video tells viewers whose data have been stolen to visit identitytheft.gov/databreach for detailed steps to take after a breach.

Read more in:

Dark Reading: FTC Releases Video With Data Breach Recovery Advice
-http://www.darkreading.com/cloud/ftc-releases-video-with-data-breach-recovery-ad
vice/d/d-id/1326992

FTC: Data breaches and you - a new video
-https://www.consumer.ftc.gov/blog/data-breaches-and-you-new-video

Cisco Warns of Critical Vulnerability In Cloud Services September 22, 2016

Cisco warns of two security holes (one rated critical, the other high) found in its Cisco Cloud Services Platform 2100 (CCSP). One, could allow an unauthenticated user to inject commands into the system. They did not issue a patch, but there is a workaround.
-https://threatpost.com/cisco-warns-of-command-injection-flaw-in-cloud-platform/1
20804/
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
0160921-csp2100-2
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
0160921-iox

---

INTERNET STORM CENTER TECH CORNER

Analyzing Malicious .PUB files
-https://isc.sans.edu/forums/diary/PUB+Analysis/21517/

iOS 10 Backup Passwords Easier to Crack
-http://blog.elcomsoft.com/2016/09/ios-10-security-weakness-discovered-backup-pas
swords-much-easier-to-break/

Windows 10 Certificate Pinning of Microsoft Domains
-http://hexatomium.github.io/2016/09/24/hidden-w10-pins/

IBM Geoblocking Fail For Australian Census
-http://www.aph.gov.au/DocumentStore.ashx?id=124f22ba-caaa-46ff-899d-7d96851fee3e
&subId=414127

97% Of Fortune 1000 Companies Have Leaked Credentials
-http://info.digitalshadows.com/rs/457-XEY-671/images/CompromisedCredentials-Lear
nFromtheExposureoftheWorlds1000BiggestCompanies-Download.pdf

Decompiling P-Code
-https://isc.sans.edu/forums/diary/VBA+and+Pcode/21521/

Lenovo To Add FIDO Compliant Fingerprint Reader
-http://www.theregister.co.uk/2016/09/26/intel_and_lenovo_give_the_finger_to_pass
words_with_fido/

More Details On Simpler Password Hasing in iOS 10
-https://twitter.com/thorsheim/status/779207177416351744

Mozilla to Remove WoSign and StartCom From Trusted List
-https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/
preview

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create