Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #13

February 14, 2017

SANS faculty members Ed Skoudis, Mike Assante and Johannes Ullrich will keynote the RSA 2017 conference in San Francisco Wednesday in the kick-off session titled The Seven Most Dangerous New Attacks. Watch them live at rsaconference.com at 1:30 EST (2/15/17); you may even ask questions through James Lyne's cool online query system.

TOP OF THE NEWS

Verizon's 2017 Data Breach Digest Sneak Peak: University's Network Attacked Using Its Network-Connected IoT Devices
Recent Attacks Against Banks Appear to Have Ties to Lazarus Cybercrime Group
Hackers Targeting Journalists
Microsoft Office 365 Secure Score

THE REST OF THE WEEK'S NEWS

Microsoft Delays February's Security Updates
Australian Legislators Approve Breach Notification Law
US Customs and Border Patrol Demanded NASA Scientist's iPhone PIN
Arrest in Sports Direct Breach
Guilty Plea in Bugat Malware Case
Eight-Year Prison Sentence for Man Convicted in Global ATM Heists
Legislators Ask Flynn to Renegotiate Provisions of the Wassenaar Arrangement
Expert Says: Election Meddling was Not an Act of War
IBM's cybersecurity instance of Watson is open for business

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*************************** Sponsored By Malwarebytes ******************* Party with Malwarebytes at RSA Conference 2017! Visit us in Booth #2319 in the South Hall to get the latest on advanced-threat detection and incident response. And don't miss the Malwarebytes Crush Party. Mingle with your security peers at the SFMOMA on Tuesday, February 14. RSVP Today: http://www.sans.org/info/192007

TRAINING UPDATE

--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017

--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017

--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017

--SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017

--SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017

--SANS Secure Europe 2017 | June 12-20 | https://www.sans.org/event/secure-europe-2017

--SANS Cyber Defence Canberra 2017 | June 26-July 8 | https://www.sans.org/event/cyber-defence-canberra-2017

--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

Verizon's 2017 Data Breach Digest Sneak Peak: University's Network Attacked Using its Network-Connected IoT Devices (February 10, 2017)

A sneak peek of Verizon's 2017 Data Breach Digest describes an incident about a University network attacked using its own IoT devoices, including light bulbs and vending machines. The attackers took control of poorly-secured IoT devices and directed them to make DNS requests every 15 minutes. The IoT devices were supposed to be isolated from the rest of the university's network. The team used "a full packet capture device ... to inspect the network traffic and identify the new device password," and then changed the passwords.


[Editor Comments ]



[Ullrich ]
Universities are not the only once being hit by this type of attack. Attackers are discovering that IoT devices are a great beach head into small business and enterprise networks. IoT devices for the most part are not covered by standard endpoint protection systems that are common for workstations. This makes them the weak point and ideal point of entry. Kudos to this university to having the competency to analyze the compromise and being willing to share the details.

Read more in:

ZDNet: How IoT hackers turned a university's network against itself
-http://www.zdnet.com/article/how-iot-hackers-turned-a-universitys-network-agains
t-itself/


Verizon: IoT Calamity: the Panda Monium (PDF)
-http://www.verizonenterprise.com/resources/reports/rp_data-breach-digest-2017-sn
eak-peek_xg_en.pdf

Recent Attacks Against Banks Appear to Have Ties to Lazarus Cybercrime Group (February 13, 2017)

Recent cyber attacks against banks around the world appear to be related to Lazarus, a cybercrime group responsible for the 2014 attack against Sony Pictures and the theft of USD 81 million from the Bangladesh Central Bank. The recent wave of attacks has hit financial institutions in Poland, the U.S., Mexico, and the U.K. The attacks began in October 2016. They used watering hole attacks by infecting financial regulators' websites with malware that redirected visitors to an exploit kit.

Read more in:

WSJ: Cyberattacks on International Banks Show Links to Hackers Who Hit Sony
-https://www.wsj.com/articles/cyber-attacks-on-international-banks-show-links-to-
hackers-who-hit-sony-1486918801


ZDNet: New wave of cyberattacks against global banks linked to Lazarus cybercrime group
-http://www.zdnet.com/article/string-of-cyberattacks-against-global-banks-linked-
to-lazarus-cybercrime-group/


The Register: Worldwide bank attack blitz linked to Sony Pictures hacking crew
-http://www.theregister.co.uk/2017/02/13/sony_pictures_hackers_lazarus_returns/

Computerworld: Recent malware attacks on Polish banks tied to wider hacking campaign
-http://computerworld.com/article/3169386/security/recent-malware-attacks-on-poli
sh-banks-tied-to-wider-hacking-campaign.html

Hackers Targeting Journalists (February 10, 2017)

Journalists in the U.S. have been receiving warnings from Google that state-sponsored attackers are trying to access their email accounts. The alerts appear to have begun shortly after the November 2016 presidential election. A former U.S. Ambassador to Russia has received similar warnings.

Read more in:

Politico: State-sponsored hackers targeting prominent journalists, Google warns
-http://www.politico.com/story/2017/02/google-hackers-russia-journalists-234859

Microsoft Office 365 Secure Score (February 10, 2017)

Last week, Microsoft began grading commercial customers' Office 365 security settings. Called Secure Score, the security analytics tool looks only at security features available in Office 365; organizations that use other security products may receive lower scores because they are not using all of Microsoft's offerings. Hartford Financial Services group, an insurance company, says it plans to use the information when calculating cyberinsurance rates for its customers.

Read more in:

WSJ: Microsoft to Rate Corporate Cybersecurity
-https://www.wsj.com/articles/microsoft-to-rate-corporate-cybersecurity-148674960
0


Redmond Mag: Microsoft Launches Office 365 Secure Score
-https://redmondmag.com/articles/2017/02/13/microsoft-launches-office-365-secure-
score.aspx



*************************** SPONSORED LINKS ********************************

1) Security. It's in our DNS. Find Out More & Visit Infoblox and booth #S2607. http://www.sans.org/info/192012

2) Take the ICS Survey : Share your experiences and enter to win a $400 Amazon gift card! http://www.sans.org/info/192017

3) How are you responding to incidents and attacks? What solutions work best? Share your experiences in our 2017 SANS Incident Response Survey and enter to win a $400 gift card. http://www.sans.org/info/192022

******************************************************************************

THE REST OF THE WEEK'S NEWS

Microsoft Delays February's Security Updates (February 14, 2017)

Microsoft's security updates for February will be delayed. The company writes, "We discovered a last minute issue that could impact some customers and was not resolved in time for our planned updated today. After considering all options, we made the decision to delay this month's updates. We apologize for any inconvenience caused by this change to the existing plan."

Read more in:

Technet: February 2017 security update release
-https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-updat
e-release/

Australian Legislators Approve Breach Notification Law (February 13, 2017)

Australia's Senate has passed the Privacy Amendment (Notifiable Data Breaches) Bill 2016. The law requires organizations subject to the country's Privacy Act to report breaches that compromise personal data, payment card information, and tax file numbers to both the Australian Information Commissioner and the affected individuals. Intelligence agencies, political parties, and certain small businesses are exempt. Organizations that use electronic health records are already required to abide by the requirements of the My Health Records Act.

Read more in:

The Australian: Data breach scheme to become law
-http://www.theaustralian.com.au/business/technology/data-breach-scheme-to-become
-law/news-story/8c2765681201c0d1c58ece2ebc3022c5


ZDNet: Australia finally gets data breach notification laws at third attempt
-http://www.zdnet.com/article/australia-finally-gets-data-breach-notification-law
s-at-third-attempt/


The Register: Australia finally passes mandatory data breach reporting legislation
-https://www.theregister.co.uk/2017/02/13/australia_data_breach_laws_passed/

US Customs and Border Patrol Demanded NASA Scientist's iPhone PIN (February 13, 2017)

NASA scientist Sidd Bikkannavar was detained by U.S. Customs and Border Patrol (CBP) after flying into Houston from Chile, where he had been racing solar cars. Bikkannavar, who is a U.S. citizen and works at NASA's Jet Propulsion Laboratory (JPL), was not be allowed to leave until he gave the agent the code to unlock his government-issued smartphone. When the phone was returned, Bikkannavar immediately turned it off until he could give it to the JPL IT department.


[Editor Comments ]



[Williams ]
While this may be news for the US, is is commonplace when transiting other countries' borders. I know of a SANS instructor who was asked by customs officials to unlock his phone when entering Canada. If governments (your own or foreign) are part of your threat model and you travel internationally, store your data in the cloud and sign out of your accounts before passing through customs. This provides some protection against a customs official accessing your cloud based data (files, email, private social media messages) just because you had to turn over your phone password.


[Murray ]
ICE operates under a broad exception to the Fourth Amendment that says that searching the baggage of those crossing into the US in search of contraband is "reasonable." They have insisted that this gives them the right to search electronic devices. However, they have done it sparingly while refusing to disclose the instructions that are given to agents about how to use this authority. This would appear to be an arbitrary event.

Read more in:

Computerworld: NASA scientist detained at US border until handing over PIN to unlock his phone
-http://computerworld.com/article/3168975/security/nasa-scientist-detained-at-us-
border-until-handing-over-pin-to-unlock-his-phone.html


Washington Post: Can federal agents detain citizens at border checkpoints until they disclose their smartphone passcodes?
-https://www.washingtonpost.com/news/volokh-conspiracy/wp/2017/02/13/can-federal-
agents-detain-citizens-at-border-checkpoints-until-they-disclose-their-smartphon
e-passcodes/?utm_term=.607071eb88e6

Arrest in Sports Direct Breach (February 13, 2017)

Authorities in the UK have arrested a man in connection with a breach of the Sports Direct internal employee website. The breach occurred in September 2016. When the suspect was arrested in October, police seized his computer equipment. Analysis found that a database containing personal information of 30,000 Sports Direct employees was on a computer and had also been uploaded to a cloud services account belonging to the suspect. Sports Direct says it was unaware that employee data had been taken at the time of the breach.

Read more in:

The Register: Bloke, 27, arrested, tech gear seized by cops over Sports Direct hack
-http://www.theregister.co.uk/2017/02/13/sports_direct_arrest/

The Register: Sports Direct hacked last year, and still hasn't told its staff of data breach
-https://www.theregister.co.uk/2017/02/08/sports_direct_fails_to_inform_staff_ove
r_hack_and_data_breach/

Guilty Plea in Bugat Malware Case (February 11, 2017)

Andrey Ghinkul has pleaded guilty to charges of conspiracy and damaging a computer for spreading keystroke-logging malware known as Bugat. Also known as Dridex, the malware was used to steal account access credentials. Ghinkul admitted to being part of a group that tried to use that information to steal nearly USD 4.5 million from a Pennsylvania school district and an oil company. He faces up to 15 years in prison.

Read more in:

The Register: Bugat-wielding hacker: Yes, I tried to nick $3.2 m from US schools, oil biz
-http://www.theregister.co.uk/2017/02/11/hacker_guilty_bugat_dridex_us_school_dis
trict_oil_company/


Post Gazette: Extradited hacker pleads guilty to scamming Delmont company, Sharon schools
-http://www.post-gazette.com/local/region/2017/02/08/Extradited-hacker-pleads-gui
lty-to-scamming-Delmont-company-Sharon-schools/stories/201702080187


U.S. Justice Dept.: Moldovan Pleads Guilty to Distributing Bugat Malware
-https://www.justice.gov/usao-wdpa/pr/moldovan-pleads-guilty-distributing-bugat-m
alware

Eight-Year Prison Sentence for Man Convicted in Global ATM Heists (February 10, 2017)

Ercan Findikoglu has been sentenced to eight years in prison for his role in global ATM heists. Findikoglu, who is from Turkey, was arrested in Germany in 2013; he was extradited to the U.S in 2015. The crime operation stole USD 55 million from various banks.

Read more in:

Reuters: Turkish hacker behind cyber heists gets 8 years in U.S. prison
-http://www.reuters.com/article/us-usa-cyber-turkey-hacker-idUSKBN15P2DC

Legislators Ask Flynn to Renegotiate Provisions of the Wassenaar Arrangement (February 10, 2017)

A group of legislators has asked U.S. National Security Advisor Michael Flynn to renegotiate certain provisions of the Wassenaar Arrangement, a non-binding agreement that establishes export policies for technologies with military uses. The letter says that as it currently stands, the Wassenaar Arrangement could "undermine our nation's cybersecurity posture and economic competitiveness" by making companies apply "for an export license each time they wish to conduct simple information sharing activities with international subsidiaries, partners, or clients."

Read more in:

The Hill: Reps urge Trump administration to fix cyber trade agreement
-http://thehill.com/policy/cybersecurity/319021-reps-urge-executive-branch-to-fix
-cyber-trade-agreement


Langevin: Letter to Lieutenant General Michael Flynn
-https://langevin.house.gov/sites/langevin.house.gov/files/documents/02-10-17_Was
senaar_Letter_to_Gen_Flynn.pdf



[Note: Michael Flynn has resigned his position as National Security Advisor. ]

Expert Says: Election Meddling was Not an Act of War (February 7, 2017)

Michael Schmitt, chairman of the U.S. Naval War College's International Law Department told the Washington Post that Russia's alleged interference with the November 2016 presidential election was not an act of war. Schmitt said that Russia's actions likely violate international law prohibiting intervention in a states internal affairs, which does allow grounds for the U.S. to undertake countermeasures. Schmitt spoke with the Post following the release of the "Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations," an updated and expanded version of a 2013 document. Schmitt directed the Tallinn 2.0 initiative.

Read more in:

Washington Post: Russia's apparent meddling in U.S. election is not an act of war, cyber expert says
-https://www.washingtonpost.com/news/checkpoint/wp/2017/02/07/russias-apparent-me
ddling-in-u-s-election-is-not-an-act-of-war-cyber-expert-says/?utm_term=.8297e13
8f56f


CCDCOE: Tallinn Manual 2.0
-https://ccdcoe.org/research.html

IBM's Cybersecurity Instance of Watson is Open for Business (February 14, 2016)

Watson has been training to support cybersecurity for over a year. Now they are announcing the "Cognitive SOC" which can analyze hundreds of thousand events per day. It is capable of natural language including spoken and is based on the core Watson AI language.


[Editor Comments ]



[Northcutt ]
: In the past two years I have started to take these high end AI platforms seriously. Here is a quick primer on the core capability:

YouTube: IBM Watson: How it Works


-https://www.youtube.com/watch?v=_Xcmh1LQB9I

[Editor Comments ]


Read more in:

IBM: Welcome to the Cognitive SOC
-http://www-03.ibm.com/security/cognitive/

CNET: IBM built a voice assistant for cybersecurity
-https://www.cnet.com/news/ibm-built-a-voice-assistant-for-cybersecurity-hayvn-wa
tson/


INTERNET STORM CENTER TECH CORNER

Vulnerabilities in Samsung KNOX
-https://googleprojectzero.blogspot.de/2017/02/lifting-hyper-visor-bypassing-sams
ungs.html

Auditing MongoDB Configurations
-https://github.com/stampery/mongoaudit

Reversing JavaScript
-https://isc.sans.edu/forums/diary/Analysis+of+a+Suspicious+Piece+of+JavaScript/2
2056/

WordPress REST API Flaw Widely Exploited
-https://www.wordfence.com/blog/2017/02/rapid-growth-in-rest-api-defacements/

Cryptographically Secure PHP Development
-https://paragonie.com/blog/2017/02/cryptographically-secure-php-development

New Tool: Packettotal.com
-http://www.packettotal.com

What Not to Decrypt When Intercepting SSL
-https://isc.sans.edu/forums/diary/Stuff+I+Learned+Decrypting/22059/
webcast:
-https://www.sans.org/webcasts/8-ways-watch-invisible-analyzing-encrypted-network
-traffic-103277

Simple Static Malware Analyzer
-https://github.com/secrary/SSMA

Critical Firefox for Android Vulnerability
-https://www.mozilla.org/en-US/security/advisories/mfsa2017-04/

Ubuntu ntfs-3g Privilege Escalation
-https://bugs.chromium.org/p/project-zero/issues/detail?id=1072

Microsoft Patch Tuesday Changes
-http://www.infoworld.com/article/3139922/microsoft-windows/microsoft-to-revamp-i
ts-documentation-for-security-patches.html



***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create