Learn How to Thwart Cyber Attackers with Training in San Antonio. Save $200 thru 4/24.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #56

July 15, 2016


HIPAA Guidance on Reporting Ransomware
FDIC Systems Intrusions Not Reported
Fiat Chrysler Announces Bug Bounty Program


US Appeals Court Sides with Microsoft in Ireland Server Case
Clock-Based Intrusion Detection for Automobile Systems
Fixes Available for Drupal Remote Code Execution Flaws
Locky Ransomware Encrypts Files Even When Computers are Offline
Juniper Patches for Junos OS
Four-Year Prison Sentence for Conspiracy to Steal Defense Data
Malware Found on European Energy Company System
Patch Tuesday: Microsoft and Adobe

********************** Sponsored By MobileIron *************************

Take the Mobility Assessment to determine if your enterprise mobility management strategy is on track to succeed. Benchmark your performance, understand where you may have security risks and receive recommendations tailored to your situation. Take the assessment!



--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | x2028 https://www.sans.org/event/minneapolis-2016

--SANS San Antonio | San Antonio, TX | July 18-23 | x2028 https://www.sans.org/event/san-antonio-2016

--Industrial Control Systems Security Training | Houston, TX | July 25-30 | x2028 https://www.sans.org/event/ics-houston-summit-training-2016

--SANS Boston 2016 | Boston, MA | August 1-6 | x2028 https://www.sans.org/event/boston-2016

--SANS Vienna | Vienna, Austria | August 1-6 | x2028 https://www.sans.org/event/vienna-2016

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | x2028 https://www.sans.org/event/security-awareness-summit-2016

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 |x2028 https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016

--SANS Virginia Beach 2016 | Virginia Beach, VA | August 22-September 2 | x2028 https://www.sans.org/event/virginia-beach-2016

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | x2028 https://www.sans.org/event/brussels-autumn-2016

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016

--Security Leadership Summit & Training | September 27 - October 4, 2016 | Dallas, TX | https://www.sans.org/event/security-leadership-summit-2016



HIPAA Guidance on Reporting Ransomware (July 14, 2016)

According to new Health Insurance Portability and Accountability Act (HIPAA) guidance, ransomware attacks must be reported to the Department of Health and Human Services (HHS). The guidance "describes ransomware attack prevention and recovery from a healthcare sector perspective, including ... how HIPAA breach notification processes should be managed in response to a ransomware attack."

[Editor Comments ]

[Pesctore ]
The HHS guidance basically says that if an attacker was able to encrypt files containing PHI, then the attacker has both "acquired" the files (which requires notification) or has impacted the information owner's ability to access their own data and the business ability to maintain the integrity of the data, also requiring notification. Note that this last condition means that disclosure would be required even if you had encrypted the files before the ransomware attack encrypted them a second time! The guidance does point out that you can still perform a risk assessment justifying your belief that a disclosure would not be required.
[Northcutt ]
Page 2 of the HHS Fact Sheet has the magic word, "backup". Frequent backups, tested backups, offsite backups. And we move on to face the next threat.
Read more in:
SC Magazine: HHS: Healthcare groups must report all ransomware attacks

Health Leaders Media: CMS Offers HIPAA Guidance on Ransomware

HHS (Health and Human Services): FACT SHEET: Ransomware and HIPAA

FDIC Systems Intrusions Not Reported (July 13 and 14, 2016)

According to a report from The US House Committee on Science, Space, and Technology, the Chinese government is suspected of breaking into Federal Deposit Insurance Corp. (FDIC) computers several times between 2010 and 2013. Backdoors were found on 12 workstations and 10 servers. The incidents were never reported to authorities.

[Editor Comments ]

[Paller ]
The shoemaker's children: federal agencies responsible for overseeing cybersecurity in commercial organization have shown a disturbing pattern, first seen at DHS, of weak internal security controls and skills combined with a failure to disclose important breaches and the lessons learned from those breaches.
Read more in:
NBC News: Chinese Government Suspected of Hacking into FDIC Computers

The Hill: Chinese government likely hacked FDIC: report

Computerworld: Chinese hackers blamed for multiple breaches at U.S. banking agency

Ars Technica: FDIC was hacked by China, and CIO covered it up

Fiat Chrysler Announces Bug Bounty Program (July 13, 2016)

Automobile manufacturer Fiat Chrysler says it will pay up to US $1,500 for reported vulnerabilities in their automobiles' software. Fiat Chrysler is not the first automobile company to pay for information about vulnerabilities; Tesla established a bounty program last year. GM has a vulnerability disclosure program, but offers no payment.

[Editor Comments ]

[Pescatore ]
Increasing numbers of successes show the efficiency and effectiveness of well-managed bug bounty programs, with emphasis on the "well-managed" part. It will be good to see the application security testing services industry respond and up their game against this form of competition.

[Assante ]
Vulnerability discovery efforts combined with system-of-system attack surface and path reviews are important tools in the cyber-to-physical design and testing process. The goal is to deliberately consider, reduce, and understand as many exposures as possible prior to release and ongoing version management of software-centric platforms.
Read more in:
NBC News: Fiat Chrysler Offers Hackers Bounty to Report Cyber Threats

Computerworld: Generous Fiat Chrysler offers $1,500 for car security bugs - or two minutes of annual profit
Wired: Chrysler Launches Detroit's First 'Bug Bounty' for Hackers

Ars Technica: Bug bounties and automotive firewalls: Dealing with the car hacker threat

*************************** SPONSORED LINKS *****************************
1) Why Layered Security Strategies Dont Work and What You Can Do About It. Tuesday, July 19th, 2016 at 11:00 AM (11:00:00 EDT/US Eastern) with Navneet Singh. http://www.sans.org/info/187285

2) SANS 2016 Financial Security Survey- Help SANS determine strengths and weaknesses in financial info systems http://www.sans.org/info/187295

3) Take the SANS 2016 Cloud Security Survey & enter to win a $400 Amazon Gift Card! http://www.sans.org/info/187300


US Appeals Court Sides with Microsoft in Ireland Server Case (July 14, 2016)

The US Court of Appeals for the Second Circuit in New York has reversed a lower court's decision, unanimous in their decision that Microsoft does not have to surrender customer data stored on an overseas server to the Justice Department. According to the decision, The US Stored Communications Act "does not authorize courts to issue warrants for the seizure of customer email content that is stored exclusively on foreign servers." The Justice Department had sought the contents of email messages stored on a server in Ireland as part of a drug trafficking case.

[Editor Comments ]

[Murray ]
While this is an important case, it is a narrow ruling. The ruling is based, not upon Constitutional grounds, but upon the Court's reading of the law. Expect the government both to appeal and to seek changes to the law. Like the Apple "All Writs" action, this is about whether there are to be any limits on the power of the government to compel the cooperation of those who are not parties to, but mere custodians of, data belonging to others. It has major implications for how we will use the Internet.
Read more in:
Computerworld: Microsoft wins appeal over U.S. government access to emails held overseas

V3: Microsoft wins court appeal over handing email stored in Ireland to US authorities

ZDNet: In privacy victory, Microsoft wins appeal over foreign data warrant

The Hill: Microsoft wins landmark data storage case

eWeek: Microsoft Wins Appeal in Ireland Email Case
SC Magazine: Second Circuit rules in favor of Microsoft, gov't can't force access to email on Irish server

Clock-Based Intrusion Detection for Automobile Systems (July 14, 2016)

Researchers from the University of Michigan have developed a proof-of-concept intrusion detection tool for cars' computer systems. The Clock-based Intrusion Detection System (CIDS) creates digital fingerprints for a car's digital components using "clock skew," the fact that computers' internal clocks drift over time because of manufacturing defects and temperature. The digital fingerprints would allow the researchers to determine whether or not messages are legitimate. The researchers plan to present a paper on their findings at Usenix.

[Editor Comments ]

[Pescatore ]
Back in the late 1990s, the automotive industry was considering PKI to support encryption of communications in future smart vehicles. Vehicles usually have some form of Vehicle Identification Number that is "hard coded" into the physical frame of the car, and that makes a good starting point for a trustable public key value. Future movement towards vehicle-to-vehicle communications, let alone autonomous vehicles, will require some form of secure communications.

[Murray ]
This is the second report (

) in a week of "security research," rather than legitimized hacking. According to Walt Mossberg, in journalism, "two points make a trend." May these two cases be the start of a trend.
Read more in:
Wired: Clever Tool Shields Your Car From Hacks by Watching Its Internal Clocks

Fixes Available for Drupal Remote Code Execution Flaws (July 14, 2016)

Drupal is urging users to patch critical vulnerabilities in the content management system that could be exploited to allow remote code execution. The vulnerability is believed to affect approximately 14,000 websites. The Drupal advisory lists new releases for several affected modules.

[Editor Comments ]

[Williams ]
These vulnerabilities are easily exploitable and result in unauthenticated remote code execution. The highest scoring vulnerability was rated 22/25 on Drupal's security rating scale. Admins were given a 24-hour notice that critical patches were coming. If this isn't already being exploited in the wild, it's only a short time before it will be.
Read more in:
The Register: Critical remote code execution holes reported in Drupal modules

V3: Drupal issues major security fixes for flaw probably used in Panama Papers breach

ZDNet: Drupal calls on users to patch critical remote code execution vulnerabilities

Drupal Advisory: Drupal contrib - Highly Critical - Remote code execution PSA-2016-001

Locky Ransomware Encrypts Files Even When Computers are Offline (July 14, 2016)

A new variant of the Locky ransomware is capable of operating encrypting files on infected computers even when the malware is unable to communicate with command-and-control servers. Instead of using a unique encryption key, this version of Locky will use a predefined public key, which will be the same for all infected machines that are offline or otherwise prevent Locky from communication with the command-and-control servers.

[Editor Comments ]

[Murray ]
The FBI issued guidance (
) in the context of Locky. Little of the guidance is specific to Locky; most are things that qualify as "essential" practices (Can be done by anyone, using available resources, each only about 80%, but work together to achieve an arbitrary level of security. (Paraphrased from Peter Tippett)

). Many of these essential measure are dismissed by security professionals because of their (80%) limitations while others are resisted in the name of convenience. However, if implemented as Dr. Tippett suggests, they will resist, not only ransom ware, but the success and cost of most other attacks.
Read more in:
Computerworld: New Locky ransomware version can operate in offline mode

Juniper Patches for Junos OS (July 14, 2016)

Juniper has released fixes for eight vulnerabilities in its Junos operating system. The Junos OS is used on Juniper networking and security appliances. The flaws could be exploited to gain elevated privileges, cause denial of service conditions and kernel crashes, and impersonate trusted users.

[Editor Comments ]

[Williams ]
This flaw allows anyone with a self-signed certificate, claiming to be from a trusted certificate authority, to bypass validation. Organizations using Juniper devices at the boundary should consider employing hunt teams to determine whether this vulnerability was exploited previously.
Read more in:
The Register: Juniper's bug hunters fire out eight patches

Computerworld: Juniper patches high-risk flaws in Junos OS

Technica: Crypto flaw made it easy for attackers to snoop on Juniper customers

Four-Year Prison Sentence for Conspiracy to Steal Defense Data (July 14, 2016)

A US federal judge in California has sentenced Su Bin to 46 months in prison for his role in a scheme to steal sensitive information from the networks of US defense contractors. Su was also ordered to pay a US $10,000 fine. Su pleaded guilty to charges of conspiracy in March.

[Editor Comments ]

Read more in:
The Hill: Chinese businessman sentenced in defense hacking conspiracy

NBC News: Chinese Man to Serve U.S. Prison Term for Military Hacking

Wired UK: Chinese hacker jailed after stealing 'cutting-edge' military secrets
US Dept. of Justice: Chinese National Who Conspired to Hack into U.S. Defense Contractors' Systems Sentenced to 46 Months in Federal Prison

Malware Found on European Energy Company System (July 12 and 13, 2016)

Malware known as SFG has been detected on the network of an unnamed energy company in Europe. SFG gathers information about the infected system and opens a backdoor that could be used to launch a malicious payload. It bears similarities to malware known as Furtim, which was used to create a backdoor on industrial control systems. According to SentinelOne Labs, which discovered the malware, SFG "appears to have been designed by multiple developers with high-level skills and access to considerable resources."

[Editor Comments ]

[Assante ]
I would caution jumping to far-reaching conclusions because a malware is found at an energy company. The code as analyzed did not have any discernible modules or payloads designed specifically for operational technology or industrial processes.
Read more in:
SC Magazine: SFG malware discovered in European energy company

The Register: SCADA malware caught infecting European energy company
SentinelOne: SFG: Furtim's Derivative

Patch Tuesday: Microsoft and Adobe (July 13 and 14, 2016)

On Tuesday, July 12, Microsoft and Adobe released security updates. Microsoft issued 11 security bulletins that fix more than 40 vulnerabilities in Windows, Microsoft Office, Internet Explorer, and Edge. Adobe's updates fix at least 52 security issues in its Flash Player and at least 30 security issues in Reader.

[Editor Comments ]

Read more in:
KrebsOnSecurity: Adobe, Microsoft Patch Critical Security Bugs
InformationWeek: Windows 'Critical' Security Flaw Hits All Versions Of OS

Ars Technica: 20-year-old Windows bug lets printers install malware--patch now

Computerworld: Critical Updates to IE, Edge and Adobe Flash Player for July Patch Tuesday

Microsoft Security Bulletins: July 12, 2016 (MS16-084 through MS16-094)
Adobe Flash: Security updates available for Adobe Flash Player
Adobe Acrobat and Reader: Security updates available for Adobe Acrobat and Reader

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create