SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #9

February 02, 2016

Teams all over the country are gearing up for the Collegiate Cyber
Defense Competition regional contests. The last story in Top of the News
has info on how teams are getting a skills edge for the competition.

Alan

---

TOP OF THE NEWS

Safe Harbor Deadline Passed: Agreement Reached
Apache Server Default Configuration Exposes Tor Sites
Report Says the Threat of 'Going Dark' is Overstated
New Tools Help Prepare for Upcoming CCDC (and CyberPatriot) Regional Competitions

THE REST OF THE WEEK'S NEWS

Australian Hospital Still Struggling with Malware
Defense Department Test and Evaluation Report
Census Bureau Decides Against BYOD
HSBC Defends Against DDoS
Cisco Security Updates
Fraternal Order of Police Acknowledges Data Theft
Blackshades Malware Developer Gets Probation
First Cyber-Terrorism Case to be Tried in US

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

****************** Sponsored By Palo Alto Networks **********************

CISO Hot Topic: Communicating With CEOs and Boards of Directors: What Works and What to Avoid

Tuesday, February 09, 2016 at 6:00 PM EST (23:00:00 UTC) featuring John Pescatore and Alan Paller. A CISO Hot Topic. Live at SANS Scottsdale and streamed around the world. Real world advice for CISOs on how to make the most of opportunities to interact with top management to increase the effectiveness (and funding) of their security programs.
http://www.sans.org/info/183232

***************************************************************************

TRAINING UPDATE

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 5 courses.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Safe Harbor Deadline Passed: Agreement Reached (January 29 and February 2, 2016)

The deadline for the US and European Union negotiators to reach a new Safe Harbor data protection agreement satisfactory to both entities was January 31, 2016. The old arrangement was invalidated last fall after the EU Court of Justice found that it did not adequately protect the privacy of EU citizens.
-http://thehill.com/policy/cybersecurity/267518-week-ahead-safe-harbor-talks-go-d
own-to-the-wire
-http://www.computerworld.com/article/3027610/data-privacy/no-agreement-as-deadli
ne-to-replace-safe-harbor-nears.html
-http://arstechnica.com/tech-policy/2016/02/us-and-european-union-fail-to-strike-
deal-on-new-safe-harbour-pact/
[Editor's Note (Honan): While the deadline may have passed negotiations continued on and earlier today a new Safe Harbor agreement was reached. It is important to note that this new agreement will still have to satisfy the earlier rulings and concerns of the European Court of Justice.
-http://fortune.com/2016/02/02/looks-like-data-will-keep-flowing-from-the-eu-to-t
he-u-s-after-all/]

Apache Server Default Configuration Exposes Tor Sites (February 1, 2016)

The default configuration for the Apache http server is exposing Tor websites' locations. Sites running Apache need to disable the mod_status module that displays a server status page with sensitive information.
-http://arstechnica.com/security/2016/02/default-settings-in-apache-may-decloak-t
or-hidden-services/
-http://www.scmagazine.com/apache-server-default-setting-leaves-tor-users-identit
ies-vulnerable/article/470268/
[Editor's Note (Ullrich): All Apache servers need to run without mod_status exposed. This isn't a specific Tor issue but is, of course, even more of a problem with Tor promising anonymity. In general, using Tor does not reduce the need for a secure server configuration. To the contrary, if you believe your content is sensitive enough to warrant the use of Tor, you probably should pay particular attention to the infrastructure used to serve the content. (Liston): Leaving mod_status pages out in the open is just a bad idea generally. Remember: Tor can't fix "stupid" on the part of site admins. ]

Report Says the Threat of 'Going Dark' is Overstated (February 1, 2016)

A report from Harvard's Berkman Center for Internet & Society says that US law enforcement's concerns about encryption allowing terrorists to "go dark" overstate the problem. The report said that while encryption may hinder some surveillance activity, the increasing spread of Internet connected devices can "likely fill some of these gaps and ... ensure that the government will obtain new opportunities to" conduct surveillance.
-http://thehill.com/policy/cybersecurity/267717-law-enforcement-overstating-going
-dark-warnings-study-finds
-http://www.computerworld.com/article/3028106/security/harvard-study-refutes-goin
g-dark-argument-against-encryption.html
-http://www.zdnet.com/article/encryption-not-as-bad-for-police-as-first-thought-s
tudy-finds/
-http://www.cnet.com/news/law-enforcements-encryption-claims-overblown-study-find
s/
[Editor's Note (Northcutt): I have been studying this issue in depth. Going dark is only possible if you never log in to anything and never run a script, (good luck with that). Here are some early results, more is coming:
-http://securitywa.blogspot.com/2015/12/browser-safety-digital-cover-and.html]

New Tools Help Prepare for Upcoming CCDC and CyberPatriot Regional Competitions (February 2, 2016)

Teams all over the country are gearing up for the regional competitions. The coach of one of the teams that has performed very well in its regionals provides this advice about the hands-on exercises he discovered that help his team develop key skills. He's sharing because the goal of CCDC is developing the national pipeline of highly skilled people - not just winning. He said, "The hands-on challenges I found at pivotproject.org site give a CCDC team a leg up by helping them build skills fundamental to the game: Linux command line usage, network security, and forensics." Also, this from a successful CyberPatriot coach: "If you are you mentoring a CyberPatriot team and looking for ideas to help your team hone their skills, add the Pivot challenges (especially Command Line and Nmap) for productive and fun practice sessions." The pivotproject.org challenges were built by Ed Skoudis' team with help from BSides and collegiate and high school faculty. Useful for anyone who needs better hands-on skills, not just competitive teams. And pivotproject is giving out Amazon gift certificates for people who provide constructive feedback and suggestions for additional challenges. Challenges:
-http://pivotproject.org/
Amazon Gift Certificates:
-http://pivotproject.org/
contest

---

************************** SPONSORED LINKS ********************************
1) Risky Business: Evaluating the True Risk to your Security Program. Monday, February 08, 2016 at 1:00 PM EST (18:00:00 UTC) with Johannes Ullrich, Demetrios Lazarikos, and Mike Goldgof. http://www.sans.org/info/183237

2) SANS 2016 IT Security Spending Strategies Survey Wednesday, February 03, 2016 at 1:00 PM EST (18:00:00 UTC) with Barbara Filkins, G. Mark Hardy (moderator), Simon Gibson and Gary Sockrider. http://www.sans.org/info/183242

3) Share Your AppSec Experience & Insights in 2016 Survey - Enter to Win $400 Amazon Gift Card LINK: http://www.sans.org/info/183247
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Australian Hospital Still Struggling with Malware (February 2, 2016)

Computer systems at Royal Melbourne Hospital are still infected with Qbot, malware that has the ability to steal account access credentials. While most departments' systems are once again functional, Qbot "mutated six times" in one day, according to a Melbourne Health executive. The hospital is using computers running on Windows XP.
-http://www.zdnet.com/article/qbot-virus-still-attacking-royal-melbourne-hospital
/
[Editor's Note (Williams): While it is easy to say "this won't happen to me," most organizations with more than a thousand machines still have pockets of Windows XP and Server 2003 in their network. Network segmentation is key to living with these legacy assets, many of which can't be upgraded due to third party software limitations. (Liston): I'm sure that sometime over the past few years someone has presented a successful argument that these systems couldn't be migrated to a current/supported OS. It was likely "too costly" or involved "significant downtime" or necessary applications "just aren't supported on a newer OS." How many of you have let similar arguments plant a ticking time bomb in your organization? ]

Defense Department Test and Evaluation Report (February 1, 2016)

The US military has been unable to access information about F-35 jet maintenance because the Lockheed Martin database does not meet the government's cybersecurity requirements. The database cannot be accessed through government networks. The situation was included in an annual report on major weapons systems from the Defense Department Operational Test and Evaluation director Michael Gilmore.
-http://www.bloomberg.com/news/articles/2016-02-01/cybersecurity-gap-blocks-penta
gon-from-a-lockheed-f-35-database
-http://www.dote.osd.mil/pub/reports/FY2015/

Census Bureau Decides Against BYOD (January 29, 2016)

The US Census Bureau has decided not to allow employees to use their own Internet-connected devices while gathering information for the 2020 census. Instead, the bureau will procure devices that will run its Compass application, which runs on multiple operating systems.
-https://fcw.com/articles/2016/01/29/census-byod-noble.aspx
[Editor's Note (Henry): Why was this even under consideration? Maybe it's me, but collecting/storing/transmitting data related to a USG program on personal devices is just a bad idea on so many levels. From a security and administration perspective, there should be consistency in the hardware and applications deployed, and the Census Bureau will have much more control over the devices they manage and control. ]

HSBC Defends Against DDoS (January 29, 2016)

A distributed denial-of-service (DDoS) attack disrupted availability of HSBC's UK online banking system. The attack appears to have begun around 11 am GMT on Friday, January 29. At 9 pm that same day, HSBC declared that their "internet and mobile banking are now fully recovered." Customers were urged to visit local branches to conduct transactions.
-http://arstechnica.com/security/2016/01/hsbc-online-banking-suffers-major-outage
-blames-ddos-attack/
-http://www.zdnet.com/article/hsbc-fights-off-denial-of-service-attack-on-its-int
ernet-banking-systems/
-http://www.scmagazine.com/hsbc-uk-online-banking-operations-disrupted-by-ddos-at
tack/article/469460/
-http://www.v3.co.uk/v3-uk/news/2444093/hsbc-website-taken-offline-by-ddos-attack

Cisco Security Updates (January 29, 2016)

Cisco has issued security updates to address vulnerabilities in a variety of products. The fixes include one for a critical flaw in Cisco's RV220W wireless network security firewalls. The most current version of firmware for those devices is now 1.0.7.2.
-http://www.computerworld.com/article/3027962/security/cisco-patches-authenticati
on-denial-of-service-ntp-flaws-in-many-products.html
[Editor's Note (Williams): One vulnerability in the RV220W is an authentication bypass that potentially allows remote users to take control of the device. Unfortunately, the RV220W is targeted at small businesses, meaning that people most likely to be impacted by the vulnerability are the least likely to patch (due to resource constraints). Larger organizations may have these devices deployed at satellite offices and should patch immediately. ]

Fraternal Order of Police Acknowledges Data Theft (January 29, 2016)

The US Fraternal Order of Police (FOP) says that attackers breached its computer systems, stole data, and posted them on the Internet. The FOP represents more than 325,000 law enforcement officers.
-http://www.nbcnews.com/tech/security/hackers-take-aim-fop-nation-s-largest-polic
e-union-n507126
-http://thehill.com/policy/cybersecurity/267499-hackers-post-contracts-for-larges
t-us-police-union
-http://www.theregister.co.uk/2016/01/29/us_police_contracts_and_private_forum_po
sts_dumped_online/

Blackshades Malware Developer Gets Probation (January 29 and February 1, 2016)

A US district judge in New York has sentenced Michael Hogue to five years of probation for his role in the creation of a remote access Trojan (RAT) distributed through a group known as Blackshades. The malware was used to compromise more than one million computers. Alex Yucel, who operated Blackshades, was sentenced to 57 months in prison last summer.
-http://www.nbcnews.com/tech/security/co-creator-blackshades-malware-gets-five-ye
ars-probation-n507061
-http://www.theregister.co.uk/2016/02/01/blackshades_us_dev_joins_cocreator_with_
five_year_prison_sentence/
-http://www.scmagazine.com/blackshades-malware-co-author-sentenced-to-five-years-
probation/article/469574/
[Editor' Note (Henry): My first reaction when I saw this was "five years PROBATION for his role in creating this damaging RAT?!" Then I read the background, and see that he cooperated with authorities, with his assistance likely being instrumental in the prosecution of others. It's indicative of the necessary tactics law enforcement must use in order to successfully investigate these crimes, and the continued merging of the physical and digital worlds. ]

First Cyber-Terrorism Case to be Tried in US (February 1 and January 27, 2016)

A citizen of Kosovo appeared in US district court last week to face charges of hacking, identity theft, and providing material support to a terrorist organization. Ardit Ferizi is the first person the US courts to be tried in a cyber-terrorism case.
-http://www.darkreading.com/vulnerabilities---threats/first-hacker-arrested-for-c
yberterror-charges-arrives-in-american-court/d/d-id/1324133?
-http://www.justice.gov/opa/pr/isil-linked-hacker-arrives-united-states-face-terr
orism-charges

---

STORM CENTER TECH CORNER

Lockdroid Ransomware Exploits Android Flaw
-http://www.symantec.com/connect/blogs/android-ransomware-variant-uses-clickjacki
ng-become-device-administrator

February 1st "Change Your Password Day"
-http://gizmodo.com/5879669/february-1-is-change-your-password-day-ive-decided

iOS "Hot Patching" May Bypass Appstore Control
-https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html

Exploiting Sparkle Updater For OS X
-https://www.evilsocket.net/2016/01/30/osx-mass-pwning-using-bettercap-and-the-sp
arkle-updater-vulnerability/

Update On Sparkle OS X Evilgrade Vulnerability
-https://www.taoeffect.com/blog/2016/01/sky-not-falling-sparklegate-not-as-bad-as
-it-could-be/

LibreSSL Update
-https://marc.info/?l=openbsd-announce&m=145402412811643&w=2

rm -rf / Bricks Some Systems
-http://www.phoronix.com/scan.php?page=news_item&px=UEFI-rm-root-directory

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/