SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #8

January 29, 2016

In 2015, the businesses and government agencies that minimized the
damage done by advanced targeted threats used combinations of skilled
staff, mature security processes and advanced security technology to be
both effective and efficient at enabling business while dealing with
real world threats. Please point us to products and services that
impressed you as nominations for the "Best of 2016" awards that will be
announced at the SANS 2016 Annual Conference in Orlando FL during the
week of March 14th, 2016. Go to
https://www.surveymonkey.com/r/SANSBestof2015 to add your nominations.

---

TOP OF THE NEWS

Why Incident Response is Difficult for Industrial Control Systems
Israeli Regulatory Agency Hit by Ransomware
Lenovo Fixes Flaws in SHAREit

THE REST OF THE WEEK'S NEWS

NSA's Cyber Attack Chief Speaks at Usenix
OpenSSL Update Fixes Traffic Decryption Vulnerability
Samsung Updates Fix Flaws in Android OS and Galaxy Devices
Legislators Want to Know Which Agencies Use Juniper Firewalls
PayPal Fixes Java Deserialization Flaw
California Police Department Uses Stingrays from Planes
NYC Department of Consumer Affairs Investigating Baby Monitor Security
Wendy's Investigating Reports of Breach
cPanel Database Breach
Mozilla Updates Firefox to Version 44
Oracle Retiring Java Plugin
ConEd Site Flaw

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Splunk ***************************

Splunk is named a leader in the 2015 Gartner SIEM Magic Quadrant for the 3rd time in a row and remains at the forefront of solving advanced and emerging SIEM use cases. Learn how Splunk security analytics can dramatically improve the detection, response and recovery from advanced threats. Get your copy of the report today.
http://www.sans.org/info/180747

***************************************************************************

TRAINING UPDATE

- --SANS Las Vegas 2016 | Las Vegas, NV | January 9-14, 2016 | 6 courses.
http://www.sans.org/u/an6

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Why Incident Response is Difficult for Industrial Control Systems (January 28, 2016)

Incident response in an Industrial Control System (ICS) environment is complex. Portions of incident response plans in pure IT environments do not translate well to ICS environments. In addition, power and manufacturing plant network operators may not be inclined to apply patches because of the threat of downtime or disruption.
-http://www.darkreading.com/perimeter/how-incident-response-fails-in-industrial-c
ontrol-system-networks/d/d-id/1324094
[Editor's Note (Pescatore): This fits under the broader category of IT/OT (IT Operations Technology) Integration. Many security programs, architectures, policies and controls don't span the two areas very well. ICS is one example; medical systems are another glaring one. Lots of good guidance out there on how to attack this, but invariably needs to start from the top of the organization - often the CIO has the same problem. (Murray): This remains an attitude problem. These systems are connected to the public networks for the convenience of the operators. The operators continue to believe that convenient access to these systems and applications to deal with routine problems trumps denying access to attackers or responding to attacks. They have even convinced the DHS, whose guidance focuses on patching and restrictive access control ("white listing") at the expense of secure remote access and strong authentication. In the last decade security from malice has lost ground to security from accidents. (Liston): Despite the fact that ICS environments have been around for (essentially) as long as more general purpose networks, they've never received much security focus. IR in an ICS environment is a specialized skill. While several tools and techniques from more general IR work are applicable, new tools and skills will be necessary. ]

Israeli Regulatory Agency Hit by Ransomware (January 27 and 28, 2016)

Reports of a cyberattack on Israel's Electrical Authority have been misleading. While the country's Energy Minister said that the Israeli Electricity Authority was the target of "one of the largest cyber attacks" the agency had endured, the issue was found to be ransomware. Furthermore, SANS's Rob Lee noted that the Electrical Authority is a regulatory agency and "is in no way related to the networks of the Israeli electric companies, transmission, or distribution sites."
-http://www.theregister.co.uk/2016/01/28/israel_power_grid_attack_boring_ransomwa
re/
-http://www.computerworld.com/article/3026609/security/no-israels-power-grid-wasn
t-hacked-but-ransomware-hit-israels-electric-authority.html
[Editor's Note (Murray): The ability of attackers to bypass the banking system using crypto currencies lowers the risk to criminals, and increases the risk to the rest of us, of all kinds of extortion schemes. (Honan): People dealing with the media, especially mainstream media, could do well to take a lead from Rob Lee's approach to commenting on these issues, which is one of informed feedback and analysis with no speculation or hype. ]

Lenovo Fixes Flaws in SHAREit (January 27, 2016)

Lenovo has fixed a number of vulnerabilities in its SHAREit filesharing utility that could be exploited to access and make copies of files. The flaws include a hardcoded password in the Windows version of SHAREit, and transferring files without encryption in version for Windows and Android. Windows users should upgrade to version 3.2.0; Android users should upgrade to version 3.5.38_ww.
-http://www.computerworld.com/article/3026348/security/lenovo-fixes-hard-coded-pa
ssword-in-file-sharing-utility.html

---

************************** SPONSORED LINKS ********************************
1) Is Active Breach Detection the Next-Generation Security Technology? Thursday, March 10, 2016 at 1:00 PM EST (18:00:00 UTC) with Dave Shackleford and Paul Kraus. http://www.sans.org/info/183077

2) What Works in Threat Prevention: Detecting and Stopping Attacks More Accurately and Quickly with Threatstop. Friday, February 12, 2016 at 1:00 PM EST (18:00:00 UTC)with John Pescatore and Ken Compres. http://www.sans.org/info/183082

3) CISO Hot Topic: Communicating to and Influencing CEOs and Boards of Directors: What Works and What to Avoid. Tuesday, February 09, 2016 at 6:00 PM EST (23:00:00 UTC) featuring John Pescatore, Alan Paller. http://www.sans.org/info/183087
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

NSA's Cyber Attack Chief Speaks at Usenix (January 27 and 28, 2016)

Rob Joyce, head of the National Security Agency's (NSA) Tailored Access Operations (TAO) unit spoke at the Usenix conference in San Francisco last week. TAO's focus is gaining access to foreign adversaries' computers and gathering data. Joyce outlined the steps his unit takes in its missions, and he also gave advice for keeping attackers out of systems.
-http://www.technologyreview.com/news/546251/nsa-hacking-chief-internet-of-things
-security-keeps-me-up-at-night/
-http://www.theregister.co.uk/2016/01/28/nsas_top_hacking_boss_explains_how_to_pr
otect_your_network_from_his_minions/
-http://www.wired.com/2016/01/nsa-hacker-chief-explains-how-to-keep-him-out-of-yo
ur-system/
[Editor's Note (Honan): Well worth reading. The video of the talk is available here:
-https://youtu.be/bDJb8WOJYdA]

OpenSSL Update Fixes Traffic Decryption Vulnerability (January 28, 2016)

The OpenSSL project team has released updates for supported versions of the cryptographic library to address a pair of vulnerabilities. One of the flaws could be exploited to decrypt HTTPS traffic. Attackers could obtain the decryption key. Users should upgrade to version 1.0.2f or 1.0.1r. The team also reminded users that versions 0.9.8 and 1.0.0 are no longer supported.
-http://arstechnica.com/security/2016/01/high-severity-bug-in-openssl-allows-atta
ckers-to-decrypt-https-traffic/
-https://www.openssl.org/news/secadv/20160128.txt
[Editor's Note (Williams): While this is a serious vulnerability, many organizations are continuing to use applications statically linked with the no longer supported OpenSSL 0.98 and 1.0. While the unsupported versions of OpenSSL don't contain this vulnerability, they contain a number of other vulnerabilities that may impact security. Many organizations make the common patching mistake of forgetting to restart applications that dynamically load OpenSSL after patching. Without restarting the applications after patching, the applications continue to use the old version of OpenSSL and remain vulnerable. ]

Samsung Updates Fix Flaws in Android OS and Galaxy Devices (January 27, 2016)

Samsung has issued security updates to fix vulnerabilities in both the Android operating system and the Galaxy devices themselves. The flaws could be exploited to allow arbitrary code execution, corrupt memory, and reboot factory reset protections. The flaws in Android are the ones Google disclosed in December.
-http://www.scmagazine.com/samsung-security-update-fixes-critical-bugs-hidden-in-
galaxy-devices-android-os/article/467857/
-http://www.zdnet.com/article/android-security-samsung-plugs-six-os-and-seven-gal
axy-specific-bugs/

Legislators Want to Know Which Agencies Use Juniper Firewalls (January 26 and 27, 2016)

The US House Committee on Oversight and Government Reform wants to know which agencies use Juniper NetScreen firewall appliances. For the past four years, these appliances have had a backdoor that could be used to eavesdrop on encrypted communication. The agencies have until February 4 to provide the committee with documentation.
-http://thehill.com/policy/cybersecurity/267170-house-it-chair-backdoor-may-be-le
tting-spies-steal-intelligence
-http://thehill.com/policy/cybersecurity/267041-house-oversight-probes-flawed-sof
tware-driving-spying-fears
-http://www.computerworld.com/article/3026440/security/congress-to-federal-agenci
es-you-have-two-weeks-to-tally-your-backdoored-juniper-kit.html
-http://arstechnica.com/tech-policy/2016/01/moment-of-truth-feds-must-say-if-they
-used-backdoored-juniper-firewalls/
[Editor's Note (Pescatore): They should add Fortinet firewalls to the investigation, since hard coded passwords for SSH access have been reported in Fortinet's FortiOS software. (Honan): Yes. Fortinet; and AMX should be added, as well. (Murray): Legislators should be focused on the origin, exploitation, and persistence of the vulnerability. Did one government initiative put the rest of the government at risk? ]

PayPal Fixes Java Deserialization Flaw (January 27, 2016)

PayPal has fixed a Java deserialization vulnerability in manager.paypal.com that could have been exploited to take control of production systems. PayPal was notified of the flaw on December 13, 2015, and patched it soon after.
-http://www.theregister.co.uk/2016/01/27/paypal_patches_deadly_server_remote_code
_execution_flaw_pays_5k/
-http://www.scmagazine.com/paypals-business-site-vulnerable-to-remote-code-execut
ion/article/467853/
-http://www.computerworld.com/article/3027034/security/paypal-is-the-latest-victi
m-of-java-deserialization-bugs-in-web-apps.html
[Editor's Note (Williams): Deserialization flaws are arguably the most critical type of web application vulnerability. While XSS may redirect a user and SQL Injection may disclose data, Java deserialization flaws provide the attacker with code execution on the server. Unfortunately, many developers fail to understand these vulnerabilities. I regularly see serialized objects stored in cookies (eek). FoxGlove security did a great technical writeup on serialization found here:
-http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-
opennms-and-your-application-have-in-common-this-vulnerability/]

California Police Department Uses Stingrays from Planes (January 27 and 28, 2016)

According to documents obtained by the American Civil Liberties Union (ACLU), the police department in Anaheim, California, has used surveillance technology that has been referred to as "stingray on steroids." Known as Dirtboxes, the powerful cell-site simulators are mounted on airplanes. A California state law that came into effect on January 1, 2016 requires law enforcement agents to obtain a warrant before using a cell-site simulator.
-http://arstechnica.com/tech-policy/2016/01/city-cops-in-disneylands-backyard-hav
e-had-stingray-on-steriods-for-years/
-http://www.wired.com/2016/01/california-police-used-stingrays-in-planes-to-spy-o
n-phones/
-https://www.documentcloud.org/documents/2699418-201601-Anaheim-Cell-Surveillance
-Docs.html

NYC Department of Consumer Affairs Investigating Baby Monitor Security (January 27, 2016)

The New York City Department of Consumer Affairs is investigating baby monitors that are vulnerable to attacks. The agency has sent subpoenas to four as-yet unnamed companies asking for information about the way they address the security of their products. It has also posted an alert for consumers that includes advice on how to protect their monitors.
-http://www.nbcnews.com/tech/security/hack-alert-nyc-regulators-warn-parents-secu
re-their-baby-monitors-n505391
-http://www.wired.com/2016/01/nyc-investigating-hackable-baby-monitors/
-http://www1.nyc.gov/site/dca/media/pr012716.page

Wendy's Investigating Reports of Breach (January 27, 2016)

The Wendy's fast food restaurant chain is looking into reports of a breach that compromised customer payment card information. The Ohio-based company has hired an outside security company to conduct the investigation.
-http://thehill.com/policy/cybersecurity/267197-wendys-investigating-possible-cre
dit-card-breach
-http://www.theregister.co.uk/2016/01/27/us_wendys_stores_breached/
-http://krebsonsecurity.com/2016/01/wendys-probes-reports-of-credit-card-breach/
-http://www.eweek.com/security/wendys-investigates-possible-data-breach.html
[Editor's Note (Murray): It is now obvious to the casual observer that our retail payment system is fundamentally vulnerable to fraudulent reuse of credit card numbers. However, this problem is greatly exacerbated by the practices of the hospitality industry and the practices of those who provide them with services from point of sale and credit card transaction processing software to management of HVAC. ]

cPanel Database Breach (January 27 and 28, 2016)

A cPanel customer database may have been compromised. cPanel is a web hosting platform management tool. The company is asking users to change their access credentials. A cPanel executive said that they "successfully interrupted the breach," but couldn't be certain whether user data were taken.
-http://www.zdnet.com/article/hackers-launch-cyberattack-against-cpanel-systems/
-http://www.theregister.co.uk/2016/01/27/cpanel_security_breach/

Mozilla Updates Firefox to Version 44 (January 26 and 28, 2016)

On Tuesday, January 26, Mozilla released Firefox 44, which addresses a dozen flaws in the company's flagship browser. With version 44, Firefox users can now receive push notifications via the Web Push W3C standard.
-http://www.eweek.com/security/firefox-44-debuts-with-improved-security.html
-http://www.zdnet.com/article/mozilla-firefox-44-update-fixes-critical-vulnerabil
ities/
[Editor's Note (Northcutt): I updated this morning. That is not a lot of rigorous testing obviously, but everything worked; so far. With Web Push, I may change from Firefox/No Script as my default browser to the things I am most interested in. I think we are all suffering from notification overload:
-https://hacks.mozilla.org/2016/01/web-push-arrives-in-firefox-44/]

Oracle Retiring Java Plugin (January 26 and 28, 2016)

Oracle is phasing out its Java browser plugin. In a whitepaper titled "Migrating from Java Applets to Plugin-free Java Technologies," Oracle said it "is planning to deprecate the Java browser plugin in JDK (Java Development Kit) 9," and that it will be removed from JDK and JRE (Java Runtime Environment) in the future. JDK 9 is scheduled to ship in September 2016.
-https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free
-http://www.bbc.com/news/technology-35427685
-http://www.zdnet.com/article/java-browser-plugin-to-be-sent-to-death-row-in-sept
ember/
-http://www.darkreading.com/endpoint/oracle-retires-java-browser-plug-in/d/d-id/1
324087?
-http://arstechnica.com/information-technology/2016/01/oracle-deprecates-the-java
-browser-plugin-prepares-for-its-demise/
-http://www.wired.com/2016/01/goodbye-applets-another-cruddy-piece-of-web-tech-is
-finally-going-away/
[Editor's Note (Williams): The reality is that the plugin isn't going away - only support for the plugin is. Many organizations currently depend on the plugin for browser-based Java applications that may no longer have developer support. Organizations without good software inventories (SANS Critical Security Control #2) need to start looking *today* for plugin based applications that need to be migrated before the Java plugin architecture stops receiving patches. (Liston): Ding-dong, the Wicked Witch is DEAD!!! ]

ConEd Site Flaw (January 26, 2016)

A vulnerability on the Con Edison (ConEd) website could put users at risk of account spoofing and data theft. A ConEd spokesperson says that the company has taken steps to make customer sign-in more secure. ConEd serves more than three million customers in New York City and Westchester County.
-http://www.zdnet.com/article/con-edison-website-security-puts-customer-passwords
-at-risk/

---

STORM CENTER TECH CORNER

Pentest Time Machine: NMAP + Powershell + whatever tool is next
-https://isc.sans.edu/forums/diary/Pentest+Time+Machine+NMAP+Powershell+whatever+
tool+is+next/20653/

More Car Hacking
-http://cseweb.ucsd.edu/~savage/papers/WOOT15.pdf

More ISPs Turn Wifi Routers Into Public Hotspots
-http://www.juniperresearch.com/press/press-releases/1-in-3-home-wi-fi-routers-to
-double-as-public-hots

More Business E-Mail Compromise News
-http://www.scmagazineuk.com/aeroplane-part-maker-claims-cyber-fraud-cost-it-50-m
illion/article/467343/

Help Wanted: Where do these odd SYN-ACK packets come from?
-https://isc.sans.edu/forums/diary/SYNACK+Packets+With+Data/20661/

Safari Crashes on iOS and OS X
-http://www.macrumors.com/2016/01/27/safari-crashing-how-to-fix/

Drawbacks Of Encrypted Communication
-https://www.usenix.org/conference/enigma2016#main

More and Larger DDoS Attacks
-http://www.arbornetworks.com/resources/annual-security-report

Dridex Malspam Example From January 2016
-https://isc.sans.edu/forums/diary/Dridex+malspam+example+from+January+2016/20663
/

Virustotal Adds Support For Firmware Malware
-http://blog.virustotal.com/2016/01/putting-spotlight-on-firmware-malware_27.html

Facebook XSS Exploit
-http://blog.virustotal.com/2016/01/putting-spotlight-on-firmware-malware_27.html

AngularJS XSS via Template Injection
-http://blog.portswigger.net/2016/01/xss-without-html-client-side-template.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/