SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #10
February 3, 2017TOP OF THE NEWS
Last Week's WordPress Update Included an Undisclosed Critical VulnerabilitySchneider Releases Fix for Flaw in StruxureWare Data Center Expert
SWIFT Urges Member Banks to Adopt Stronger Security Measures
THE REST OF THE WEEK'S NEWS
Australian Nuclear Scientists' Data CompromisedU.S. Treasury Dept. Eases Sanctions on Russian Security Service
Cellular Location Data Protection Varies from State to State in U.S.
Google on Bringing KrebsOnSecurity into Project Shield
Netherlands Will Count Ballots by Hand
More Netgear Router Flaws
Fix Available for Cisco Prime Home Vulnerability
OpenSSL Security Update
Czech Government Officials Hit by Cyber Attacks
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Malwarebytes ********************
Party with Malwarebytes at RSA Conference 2017! Visit us in Booth #2319 in the South Hall to get the latest on advanced-threat detection and incident response. And don't miss the Malwarebytes Crush Party. Mingle with your security peers at the SFMOMA on Tuesday, February 14. RSVP Today: http://www.sans.org/info/191897
***************************************************************************
TRAINING UPDATE
--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017
--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017
--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017
--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017
--SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017
--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.
--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/
***************************************************************************
TOP OF THE NEWS
Last Week's WordPress Update Included an Undisclosed Critical Vulnerability (February 2, 2017)
WordPress fixed a fourth, undisclosed (at the time) vulnerability in last week's update. The update notes included information about three issues, all rated moderate. The fourth security issue, which is rated severe, was not mentioned because it was so severe that the company deemed it more important to patch against it before it became known. The unauthenticated privilege escalation vulnerability affects WordPress's REST API and could be exploited to modify the content of posts and pages on WordPress sites. The WordPress update was automatically pushed out.[Editor Comments ]
[Paller ]
Content management systems vulnerabilities (like this one in WordPress) are currently the most common method by which web sites are infected and made to compromise all visitors. In other words they enable broad compromises of unsuspecting users at sites that can no longer be trusted.
[Ullrich ]
Not releasing vulnerability details may give users a chance to patch before exploits are developed. But at the same time, patching is risky and a patch may not be applied at all if there is no clear security benefit. It is important that vendors provide clear guidance and are open in announcing security flaws addressed by particular updates.
[Williams ]
Updates were automatic for only some of the users. While automatic updates are now the default for WordPress, many clients don't use the feature because of potential plugin compatibility issues breaking the web site. This one is a "patch now" bug. Defacements, malicious links, and depending on blog settings persistent XSS are possible exploitation outcomes.
Read more in:
WordPress: Disclosure of Additional Security Fix in WordPress 4.7.2
-https://make.wordpress.org/core/2017/02/01/disclosure-of-additional-security-fix
-in-wordpress-4-7-2/
ZDNet: WordPress: Why we didn't tell you about a big zero-day we fixed last week
-http://www.zdnet.com/article/wordpress-why-we-didnt-tell-you-about-a-big-zero-da
y-we-fixed-last-week/
Computerworld: WordPress silently fixes dangerous code injection vulnerability
-http://computerworld.com/article/3164479/security/wordpress-silently-fixes-dange
rous-code-injection-vulnerability.html
The Register: WordPress fixed god-mode zero day without disclosing the problem
-http://www.theregister.co.uk/2017/02/02/last_weeks_boring_sqli_wordpress_patch_h
id_fix_for_godmode_zero_day/
Schneider Releases Fix for Flaw in StruxureWare Data Center Expert (February 2, 2017)
A patch is now available for a vulnerability in Schneider Electric's StruxureWare Data Center Expert industrial control kit, which is used to monitor physical infrastructure at data centers. The flaw could be exploited to access unencrypted passwords from RAM on the client side, where they are not encrypted. Customers are urged to upgrade to StruxureWare Data Center Expert version 7.4.[Editor Comments ]
[Murray ]
Many vulnerabilities result from the generality and flexibility of the development platforms used, others from the complexity of the task. This one is the result of ignorance of good practice, and poor supervision. It started with the understanding of requirements and the expression of design. It is bad enough when this results in risk to an enterprise writing code for its own use, much worse when the risk is to the infrastructure. We remain a long way from the point where software development can be called "engineering."
Read more in:
The Register: Another Schneider vuln: Plaintext passwords on client-side RAM resolved
-http://www.theregister.co.uk/2017/02/02/data_centre_control_kit_flaw_resolved/
Schneider Electric: Security Notification - Data Center Expert Software
-http://www.schneider-electric.com/en/download/document/SEVD-2016-343-01/
SWIFT Urges Member Banks to Adopt Stronger Security Measures (February 1, 2017)
The February 2016 USD 81 million theft from Bangladesh's central bank, followed by a string of other thefts, prompted SWIFT to launch a customer security program, providing guidelines for member financial institutions as well as adopt two-factor authentication and updating to new SWIFT software. SWIFT itself was not breached, but attackers stole member institutions' SWIFT credentials which allowed them to conduct the fraudulent transactions. A SWIFT official noted that the efforts have thwarted some recent attacks.[Editor Comments ]
[Murray ]
SWIFT is only the messenger, but their brand has been badly tarnished by the practices of their users. Advice seems to the their only tool. While security is expensive, advice is cheap. Everything looks cheap when the other guy has to do it.
Read more in:
SC Magazine: Bank Account-ability SWIFT demands action from members as threat of cyberheists looms large
-https://www.scmagazine.com/bank-account-ability-swift-demands-action-from-member
s-as-threat-of-cyberheists-looms-large/article/635526/
*************************** SPONSORED LINKS ********************************
1) Discover the latest global application threat data and actionable intelligence with F5 Labs. http://www.sans.org/info/191902
2) Many organizations have recognized the need for a comprehensive incident management platform. Register to learn more: http://www.sans.org/info/191907
3) An organization discovered commodity malware in their environment that transformed into a targeted attack. Register to learn more: http://www.sans.org/info/191912
******************************************************************************
THE REST OF THE WEEK'S NEWS
Australian Nuclear Scientists' Data Compromised (February 3, 2017)
A computer breach at the Australian Nuclear Science and Technology Organisation's (ANSTO) Australian Synchrotron particle accelerator compromised the usernames and passwords of scientists who use the system.[Editor Comments ]
[Williams ]
If ANSTO's statements are taken at face value, theirs is a success story that begins and ends with proper network segmentation. Proper segmentation is a game changer and can stop small problems from becoming really big problems (nuclear problems in the case of ANSTO).
Read more in:
The Register: Particle accelerator hacked: Boffins' hashed passwords beamed up
-http://www.theregister.co.uk/2017/02/03/australian_synchrotron_hacked/
U.S. Treasury Dept. Eases Sanctions on Russian Security Service (February 2, 2017)
The U.S. Department of the Treasury has issued a license that eases sanctions against Russia's Federal Security Service, paving the way for U.S. companies to export IT products to that country.Read more in:
ZDNet: Treasury loosens Russia sanctions to ease encrypted tech blockade
-http://www.zdnet.com/article/treasury-eases-cyber-sanctions-with-russia/
The Hill: Treasury amends Russian sanctions to allow U.S. tech exports
-http://thehill.com/policy/national-security/317571-white-house-denies-relaxing-s
anctions-on-russia
USA Today: U.S. eases restrictions on cyber-security sales to Russian spy agency
-http://www.usatoday.com/story/news/2017/02/02/us-eases-some-economic-sanctions-a
gainst-russia/97399136/
CNET: Trump eases Russia sanctions to allow US electronics exports
-https://www.cnet.com/news/trump-eases-russia-sanctions-to-allow-us-electronics-e
xports-treasury/
U.S. Dept. of the Treasury: Publication of Cyber-related General License
-https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/201702
02_33.aspx
Cellular Location Data Protection Varies from State to State in U.S. (February 2, 2017)
In some U.S. states, police can obtain cell-site location data without a warrant under the third-party doctrine which says that if people give their information to a third-party, they have no reasonable expectation of privacy. Six states have laws on the books that require warrants for all cell-site location data; three other states require warrants only for real-time tracking. Law enforcement has also sought data from an Amazon Echo smart speaker and from Sirius XM satellite radios.Read more in:
Wired: Police Could Get Your Location Data Without a Warrant. That Has to End
-https://www.wired.com/2017/02/police-get-location-data-without-warrant-end/
Google on Bringing KrebsOnSecurity into Project Shield (February 2, 2017)
In a presentation at the Enigma security conference earlier this week, a Google security engineer described the process of bringing KrebsOnSecurity into Project Shield after Kreb's site became the target of massive distributed denial-of-service (DDoS) attacks last fall. Project Shield is a free service that uses Google technology to protect news, journalist, human rights, and election monitoring sites, from DDoS attacks on the web.Read more in:
Ars Technica: How Google fought back against a crippling IoT-powered botnet and won
-https://arstechnica.com/security/2017/02/how-google-fought-back-against-a-crippl
ing-iot-powered-botnet-and-won/
Netherlands Will Count Ballots by Hand (February 1 & 2, 2017)
The Dutch government has said that ballots in the country's parliamentary election scheduled for March 15, 2017, will be counted by hand to assuage concerns that digital tabulation systems could be compromised. Intelligence agencies have cautioned that elections in France, Germany, and the Netherlands could be at risk of manipulation.[Editor Comments ]
[Murray ]
History suggests that efficient election fraud is always in the tabulating and reporting phases rather than in recording phase. While this procedure may "assuage" fear, it may introduce a vulnerability where there was none. "Security is a space where intuition does not serve us well."
[Northcutt ]
I am a fan of hand counted ballots for now. I believe it is possible to create a safe and reasonable voting machine, but so far, that is not a priority.
-http://fortune.com/2016/11/04/voting-machine-hack-watch-video-cylance/
-http://www.detroitnews.com/story/news/nation/2016/12/26/election-hacking/9585991
0/
-http://ijr.com/wildfire/2016/11/731642-edward-snowden-demonstrates-how-easy-it-i
s-to-hack-a-voting-machine-all-for-just-30/
Read more in:
Reuters: Dutch will hand count ballots due to hacking fears
-http://www.reuters.com/article/us-netherlands-election-cyber-idUSKBN15G55A
SC Magazine: Dutch revert to an all-paper ballot, fearing election hack
-https://www.scmagazine.com/dutch-revert-to-an-all-paper-ballot-fearing-election-
hack/article/635661/
The Register: Netherlands reverts to hand-counted votes to quell security fears
-http://www.theregister.co.uk/2017/02/02/netherlands_reverting_to_handcounted_vot
es_to_quell_security_fears/
More Netgear Router Flaws (January 30 & February 1, 2017)
A pair of flaws that affect 31 models of Netgear routers could be exploited to access or bypass passwords and take control of vulnerable devices. Netgear has released firmware updates for most of its vulnerable routers, and has provided workarounds for older models.[Editor Comments ]
[Murray ]
The popularity of Netgear routers, coupled with their record of implementation-induced vulnerabilities, has now become a reason not to use them.
Read more in:
Dark Reading: Netgear Addresses Password Bypass Vulns In 31 Router Models
-http://www.darkreading.com/vulnerabilities---threats/netgear-addresses-password-
bypass-vulns-in-31-router-models/d/d-id/1328036?
SC Magazine: 31 models of Netgear routers found vulnerable; could be hacked to form botnet
-https://www.scmagazineuk.com/31-models-of-netgear-routers-found-vulnerable-could
-be-hacked-to-form-botnet/article/634542/
Trustwave: CVE-2017-5521: Bypassing Authentication on NETGEAR Routers
-https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2017-5521--Bypassing-Aut
hentication-on-NETGEAR-Routers/
Trustwave: Multiple Vulnerabilities in NETGEAR Routers
-https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-003/
?fid=8911
Netgear: Web GUI Password Recovery and Exposure Security Vulnerability
-http://kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vuln
erability?cid=wmt_netgear_organic
Fix Available for Cisco Prime Home Vulnerability (February 1 & 2, 2017)
Cisco has released a patch to fix a critical remote code execution flaw in Cisco Prime Home automated configuration server, which communicates with subscriber devices using the TR-069 protocol. The vulnerability could be exploited to gain administrative privileges and take control of customers' home routers. Cisco is urging Internet service providers (ISPs) and others using the vulnerable systems to update as soon as possible.[Editor Comments ]
[Ullrich ]
Cisco Prime Home is equipment typically deployed by ISPs; they will have to deploy the patch. Consumers will most likely not be able to do so. The TR-069 protocol and its cousins have caused issues in the past. For example, the Mirai botnet exploited routers that wrongly exposed TR-064. Unlike TR-064, which is only meant for LAN side configuration, TR-069 is used by ISPs to configure devices, and is supposed to provide for authentication. But in this case, authentication wasn't implemented correctly.
Read more in:
Computerworld: Cisco patches critical flaw in Prime Home device management server
-http://computerworld.com/article/3164830/security/cisco-patches-critical-flaw-in
-prime-home-device-management-server.html
The Register: Home-pwners: Cisco's Prime Home lets hackers hijack people's routers, no questions asked
-http://www.theregister.co.uk/2017/02/01/cisco_remote_access_hole_in_prime_home/
OpenSSL Security Update (January 26 & 31, 2017)
OpenSSL has released a security update that fixes three vulnerabilities that could be exploited to cause denial-of-service conditions. In the first vulnerability, a truncated packet can crash the system via an out-of-bounds read; in the second, bad Diffie Hellman parameters in DHE/ECDHE mode could crash clients; the third involves a carry propagating bug in the x86_64 Montgomery squaring procedure.Read more in:
The Register: OpenSSL pushes trio of DOS-busting patches
-http://www.theregister.co.uk/2017/01/31/openssl_patches/
OpenSSL: OpenSSL Security Advisory
[26 Jan 2017 ]
-https://www.openssl.org/news/secadv/20170126.txt
Czech Government Officials Hit by Cyber Attacks (January 31, 2017)
A series of breaches has compromised email accounts of several high-ranking Czech officials, including the Foreign Minister. The Czech government believes that the attacks bear the hallmark of a nation-state effort. The intruders allegedly stole thousands of files.Read more in:
The Guardian: Czech cyber-attack: Russia suspected of hacking diplomats' emails
-https://www.theguardian.com/world/2017/jan/31/czech-cyber-attack-russia-suspecte
d-of-hacking-diplomats-emails
The Hill: Nation-state suspected in hacking of Czech foreign minister
-http://thehill.com/policy/cybersecurity/317169-czech-ministers-hacked-nation-sta
te-suspected-reports
INTERNET STORM CENTER TECH CORNER
py2exe Decompiling Part 2-https://isc.sans.edu/forums/diary/py2exe+Decompiling+Part+2/22005/
Telemarketer Leaks Call Recordings
-https://mackeeper.com/blog/post/326-telemarketing-company-leaks-400k-of-sensitiv
e-files
Facebook Introduces Delegated Recovery Protocol
-https://github.com/facebookincubator/DelegatedRecovery/
-https://raw.githubusercontent.com/facebookincubator/DelegatedRecovery/master/dra
ft-hill-delegated-recovery.raw.txt
Another Cisco WebEx Update
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
0170124-webex
Cryptkeeper Does Not Correctly Encrypt Folders
-https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852751
Fileless UAC Bypass Used to Drop Keybase Malware
-https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypa
ss+to+drop+KEYBASE+malware/22011/
Apple Removes Activation Lock Test Tool After Abuse
-https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypa
ss+to+drop+KEYBASE+malware/22011/
Multiple Vulnerabilities in tcpdump
-https://www.debian.org/security/2017/dsa-3775
Postscript Printer Vulnerabilities
-http://seclists.org/fulldisclosure/2017/Jan/89
Stop Disabling SELinux
-https://learntemail.sam.today/blog/stop-disabling-selinux:-a-real-world-guide/
***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board