Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #12

February 10, 2017

TOP OF THE NEWS

Wired Magazine on Trump's Homeland Security Chief: Cybersecurity
For the US Army, Cyber War Is Quickly Becoming Just War
Fileless Malware Attacks

THE REST OF THE WEEK'S NEWS

NASA IG Report Finds Agency Grappling With Manual Operational Technology (OT) and IT Infrastructure Integration
Microsoft Can Sue U.S. Government Over Gag Orders
C-level Managers and IT Decision Makers: Who's in Charge After a Cyber Attack?
Arby's Breach Limited To Corporate Stores
U.S. Government Contractor Employee Indicted for Allegedly Stealing National Defense Information
Mobile VPN Security
Ireland's High Court is Hearing Facebook Data Transfer Case
Air National Guard Accelerating Cyber Training

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*********************** Sponsored By Malwarebytes ***********************

Party with Malwarebytes at RSA Conference 2017! Visit us in Booth #2319 in the South Hall to get the latest on advanced-threat detection and incident response. And don't miss the Malwarebytes Crush Party. Mingle with your security peers at the SFMOMA on Tuesday, February 14. RSVP

Today: http://www.sans.org/info/191957

******************************************************************************

TRAINING UPDATE

--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017

--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017

--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017

--SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017

--SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017

--SANS Secure Europe 2017 | June 12-20 | https://www.sans.org/event/secure-europe-2017

--SANS Cyber Defence Canberra 2017 | June 26-July 8 | https://www.sans.org/event/cyber-defence-canberra-2017

--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

Wired Magazine on Trump's Homeland Security Chief: Cybersecurity (February 9, 2017)

Tom Bossert, the newly named US homeland security advisor, will share responsibility on cybersecurity and counterterrorism with national security adviser Michael Flynn. A lawyer who shifted his focus to security policy after 9/11, Bossert served as deputy homeland security adviser during Bush's second term. He quickly became someone to whom the president turned on cybersecurity issues, says Healey, who also served as a cybersecurity adviser earlier in the Bush administration. In 2008, Bossert helped push through Bush's Comprehensive National Cybersecurity Initiative, a largely classified presidential directive designed to shore up the federal government's cybersecurity infrastructure."
-https://www.wired.com/2017/02/tom-bossert-trump-cybersecurity/

For the US Army, Cyber War Is Quickly Becoming Just War (February 9, 2017)

The US Army has 30 cyber teams at full operational capability and 11 more at initial operating capability, and is aiming to have 41 fully operational teams by year's end. "As soon as we create them, they are in operational use" in both offense and defense, said Brig. Gen. J.P. McGee, Army Cyber Command's deputy for operations. "We have Army soldiers delivering effects against ISIS and ISIL."
-http://www.defenseone.com/technology/2017/02/us-army-cyber-war-quickly-becoming-
just-war/135314/

Fileless Malware Attacks (February 8 & 9, 2017)

Kaspersky Lab has found that criminals using fileless malware have targeted more than 140 telecommunications companies, financial institutions, and government organizations in 40 countries. The attackers use open-source penetration testing tools that they load directly into a computer's memory. The payload is hidden in RAM or kernel, where it is more difficult to detect.


[Editor Comments ]



[Williams ]
These attacks highlight the central role played by memory forensics in incident response. If you're shutting the machine down to take a disk image, there's little evidence to be captured from an attack like this. I regularly remind customers that the 16GB of evidence (RAM size) they lose by shutting the machine down is larger than many hard drives were just a decade ago.


[Murray ]
If Kaspersky knows what is claims to know, then it has "indicators of compromise" (IOCs), "artifacts," that can be used to discover instances of this kind of infection.

Read more in:

SecureList: Fileless attacks against enterprise networks
-https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-n
etworks/


Wired: Say Hello to the Super-Stealthy Malware That's Going Mainstream
-https://www.wired.com/2017/02/say-hello-super-stealthy-malware-thats-going-mains
tream/


Computerworld: 'Fileless malware' attacks, used at banks, have been around for years
-http://computerworld.com/article/3167863/security/fileless-malware-attacks-used-
at-banks-have-been-around-for-years.html


CyberScoop: New malware works only in memory, leave no trace
-https://www.cyberscoop.com/kaspersky-fileless-malware-memory-attribution-detecti
on/?category_news=technology


SC Magazine: Attackers steal from ATMs after infecting banks with memory-only malware
-https://www.scmagazine.com/attackers-steal-from-atms-after-infecting-banks-with-
memory-only-malware/article/637029/


Ars Technica: A rash of invisible, fileless malware is infecting banks around the globe
-https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is
-infecting-banks-around-the-globe/


eWeek: Kaspersky Discovers New Malware Designed to Stealthily Steal Data
-http://www.eweek.com/security/kaspersky-discovers-new-malware-designed-to-stealt
hily-steal-data.html



*************************** SPONSORED LINKS *****************************

1) In case you missed it: "The Cost and Consequences of Security Complexity: New Ponemon Institute Research Identifies 8 Best Practices." View the archive: http://www.sans.org/info/191967

2) How are you responding to incidents and attacks? What solutions work best? Share your experiences in our 2017 SANS Incident Response Survey and enter to win a $400 gift card. http://www.sans.org/info/191972

3) SANS 2017 SOC Survey is NOW OPEN - It takes a village to protect today's networks from cyber threats. Tell us how your organization is accomplishing these tasks and enter to win a $400 Amazon gift card! http://www.sans.org/info/191977

******************************************************************************

THE REST OF THE WEEK'S NEWS

NASA IG Report Finds Agency Grappling With Manual Operational Technology (OT) and IT Infrastructure Integration (February 9, 2017)

A report from NASA's Office of Inspector General examined "whether NASA has implemented effective policies, procedures, and controls to protect the systems it uses to operate its critical infrastructure." The report found that that agency "has not adequately defined OT, developed a centralized inventory of OT systems, or established a standard protocol to protect systems that contain OT components." Problems arise due to the complications inherent in combining manual operational technology systems with more sophisticated IT systems. For example, using IT security practices to address issues in IT systems can cause malfunctions.


[Editor Comments ]



[Pescatore ]
While it is good to see the NASA OIG look into NASA's issues with security operational technology, annual IG reports since 2013 have said that "IT security remains a significant challenge for the Agency." The problem really is *not* successfully integrating IT and OT security, it is more of a "make everyone drop their pencils until we can achieve basic security hygiene."


[Honan ]
It is equally important to agree, before a breach happens, who is in charge during a cyber attack.

Read more in:

FCW: Watchdog: IT glitch at NASA led to fire
-https://fcw.com/articles/2017/02/09/nasa-iot-problems-rockwell.aspx

NASA IG Report: Industrial Control System Security Within NASA's Critical and Supporting Infrastructure (PDF)
-https://oig.nasa.gov/audits/reports/FY17/IG-17-011.pdf

Microsoft Can Sue U.S. Government Over Gag Orders (February 9, 2017)

A federal judge in Seattle, Washington has ruled that Microsoft may proceed with its lawsuit against the U.S. government regarding the gag order that accompanies many requests for stored customer data. Microsoft maintains that the orders, which have no end dates, violate its customers' First and Fourth Amendment rights. The DoJ argued that Microsoft did not have the legal standing to bring a Fourth Amendment claim on behalf of its customers. U.S. District Judge James L. Robart's ruling "grants in part and denies in part the Government's motion to dismiss."

Read more in:

Ars Technica: Judge sides with Microsoft, allows "gag order" challenge to advance
-https://arstechnica.com/tech-policy/2017/02/judge-sides-with-microsoft-allows-ga
g-order-challenge-to-advance/


Document Cloud: Microsoft Corporation v. United States Department of Justice
-https://www.documentcloud.org/documents/3457605-19717315842.html

C-level Managers and IT Decision Makers: Who's in Charge After a Cyber Attack? (February 9, 2017)

A study from BAE Systems found that IT decision-makers and C-level executives disagree about who is responsible for cleaning up after a cyber attack. One-third of C-level executives said that IT would be responsible for incident response and damage mitigation in the event of a breach; half of IT decision makers said the responsibility lies with the C-levels.


[Editor Comments ]



[Murray ]
To the extent that an incident threatens the life and health of the enterprise, general management will be in charge. Cannot be otherwise. IT will not have and cannot be given the necessary authority or resources.


[Williams ]
While remediation efforts should be directed by the incident response teams, the actual remediation actions need to be taken by IT. Not having clear delineation of responsibility in incident response probably led to Trustwave being sued by Affinity Gaming (
-https://www.scmagazine.com/affinity-gaming-claims-trustwave-failed-in-investigat
ing-remedying-breach/article/529226/).

A key claim in the suit is that Trustwave knew a server was infected but failed to clean it (something that would be an IT function in almost every case).

Read more in:

BBC: Firms split on who handles aftermath of cyber-attacks
-http://www.bbc.com/news/technology-38907073

Computerworld: IT and C-level leaders point fingers at each other over cyber defense
-http://computerworld.com/article/3167905/security/it-and-c-level-leaders-point-f
ingers-at-each-other-over-cyber-defense.html

Arby's Breach Limited To Corporate Stores (February 9, 2017)

Arby's (an Atlanta, Georgia-based fast-food chain) has acknowledged that point-of-sale systems at some of its stores were infected with malware, resulting in the theft of customer payment card data. The breach affected corporate Arby's stores; franchises were not affected. Arby's learned of the breach from "industry partners" in January, but did not disclose it at the request of the FBI. Arby's has brought in security experts and has taken steps "to contain this incident and eradicate the malware from systems at restaurants that were impacted."

Read more in:

KrebsOnSecurity: Fast Food Chain Arby's Acknowledges Breach
-https://krebsonsecurity.com/2017/02/fast-food-chain-arbys-acknowledges-breach/

U.S. Government Contractor Employee Indicted for Allegedly Stealing National Defense Information (February 7, 8, & 9, 2017)

A U.S. federal grand jury has returned an indictment against Harold Thomas Martin III for willful retention of national defense information. Martin worked for various government contract companies between 1993 and 2016, sometimes working for the Defense Department and intelligence agencies. Martin was arrested in August 2016 while working for Booz Allen Hamilton at the NSA.

Read more in:

FCW: Contractor indicted for stealing spy secrets
-https://fcw.com/articles/2017/02/09/nsa-contractor-indict.aspx

The Register: Ex-NSA contractor Harold Martin indicted: He spent 'up to 20 years stealing top-secret files'
-http://www.theregister.co.uk/2017/02/08/us_grand_jury_indicts_harold_martin_nsa/

CyberScoop: Report: NSA contractor allegedly stole armory of elite hacking tools
-https://www.cyberscoop.com/harold-martin-nsa-tao-75-percent-hacking-tools/

DoJ: Government Contractor Facing Federal Indictment for Willful Retention of National Defense Information
-https://www.justice.gov/usao-md/pr/government-contractor-facing-federal-indictme
nt-willful-retention-national-defense

Mobile VPN Security (February 8, 2017)

Australia's Commonwealth Scientific and Industrial Research Organization analyzed 283 mobile VPNs available in the Google Play store. Most of the VPNs had serious privacy and/or security issues. Eighteen percent of the VPNs did not encrypt tunnels. Eighty-four percent did not use the most current encryption for traffic between sites. Three quarters used third-party data-tracking libraries, and 82 percent requested permission to access personal information on the user's mobile device.

Read more in:

Wired: Beware: Most Mobile VPNs Aren't as Safe as They Seem
-https://www.wired.com/2017/02/beware-mobile-vpns-arent-safe-seem/

Ireland's High Court is Hearing Facebook Data Transfer Case (February 7, 2017)

Ireland's High Court is hearing a case that arose from a 2013 complaint by an Austrian lawyer that alleged Facebook's transfer of his personal information to the U.S. was illegal. Facebook's European Headquarters is in Dublin. The court will decide whether or not the data transfer is legal under Irish and EU data protection rules.


[Editor Comments ]



[Honan ]
Under the EU Data Protection Directive it is illegal for organizations in the EU to transfer personal data belonging to EU citizens outside of the EU and the EEA unless there are specific legal frameworks in place, such as Binding Corporate Rules or Model Contracts (see
-https://www.dataprotection.ie/docs/Transfers-Abroad/y/37.htm)
This case arises to determine whether US surveillance laws undermine the adequacy of Binding Corporate Rules or Model Contracts. Should this be the finding then there will be significant impact on the ability of US technical companies and Cloud Service Providers to provide services to companies within the EU.

Read more in:

RTE: Landmark EU-US data privacy court case opens in Dublin
-https://www.rte.ie/news/2017/0207/850760-schrems-facebook-data/

The Irish Times: US data safeguards equivalent to EU rules, Facebook court told
-http://www.irishtimes.com/business/technology/us-data-safeguards-equivalent-to-e
u-rules-facebook-court-told-1.2969763

Air National Guard Accelerating Cyber Training (February 7, 2017)

The U.S. Air National Guard will graduate its first class of 20 cyber warriors in March. The Air National Guard hopes to increase the size of its classes. The two-month program runs four times a year. The Guard plans to have 30 cyber units stationed in 30 states by fiscal 2019.

Read more in:

Federal News Radio: Air National Guard uses crash courses to narrow cyber training backlog
-http://federalnewsradio.com/defense/2017/02/air-national-guard-uses-crash-course
s-narrow-cyber-training-backlog/


INTERNET STORM CENTER TECH CORNER

Using Emojis as Passwords
-https://isc.sans.edu/forums/diary/My+Password+is+taco+Using+Emojis+for+Stronger+
Passwords/22042/

Popular iOS Applications Not Using TLS
-https://medium.com/@chronic_9612/76-popular-apps-confirmed-vulnerable-to-silent-
interception-of-tls-protected-data-2c9a2409dd1#.nv0mf6w4e

Web Bluetooth Security Model
-https://medium.com/@jyasskin/the-web-bluetooth-security-model-666b4e7eed2#.kqtxd
k70h

E-Mail Spoofing in GMail
-https://www.linkedin.com/pulse/aware-sender-spoofing-amongst-gmail-users-renato-
marinho

Cloud Metadata URLs
-https://isc.sans.edu/forums/diary/Cloud+Metadata+Urls/22046/

Intel Atom C2000 Chip Failures
-http://www.theregister.co.uk/2017/02/06/cisco_intel_decline_to_link_product_warn
ing_to_faulty_chip/

More W-2 Scams, Now Combined With Wire Transfer Scams
-https://nakedsecurity.sophos.com/2017/02/08/beware-the-latest-tax-season-spear-p
hishing-scam/

Macro Malware Coming to MacOS
-https://objective-see.com/blog/blog_0x17.html

F5 Big IP Ticketbleed Vulnerability
-https://filippo.io/Ticketbleed/

CryptoShield Ransomware from Rig EK
-https://isc.sans.edu/forums/diary/CryptoShield+Ransomware+from+Rig+EK/22047/

Hancitor/Pony Malspam
-https://isc.sans.edu/forums/diary/HancitorPony+malspam/22053/

Apple Retaining Old Browser History Data
-https://blog.elcomsoft.com/2017/02/elcomsoft-extracts-deleted-safari-browsing-hi
story-from-icloud/#more-3769

Brute Forcing LUKS Passwords
-https://0x00sec.org/t/breaking-encryption-hashed-passwords-luks-devices/811


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create