Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #14

February 17, 2017

TOP OF THE NEWS


The Seven Most Dangerous New Attack Techniques
Android Malware Hits Israeli Soldiers' Phones
Microsoft's Brad Smith Calls for Digital Geneva Convention
Chairman McCaul at RSA: U.S. Must Improve Approach to Cyber Security

THE REST OF THE WEEK'S NEWS


Pentagon Hired Researchers to Plumb Internal Systems for Vulnerabilities
Analysis Identifies Shamoon Attack Vectors
U.S. Legislators Question Use of Secure Messaging Apps at EPA
Microsoft's February Security Update Delayed Until March
Yahoo Notifying Users Their Accounts May Have Been Accessed in Forged Cookie Attack
Adobe Releases Flash Updates
US Legislators Introduce Bills to Curtail Access to Geolocation Data Without a Warrant
Ukraine Says Russia is Launching Cyberattacks Against Infrastructure
CPU Flaw Can Be Exploited to Bypass ASLR

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*************************** Sponsored By Malwarebytes ********************
Cyberattacks and cybersecurity, or a lack thereof, grabbed media attention on both the corporate and consumer sides, even becoming a key issue in the US presidential election. In this respect, you could say that everyone, even those who have never logged on, was affected by cyberattacks and hacking in 2016. Check out this research paper. http://www.sans.org/info/192242


TRAINING UPDATE



--SANS London March 2017 | London, GB | March 13-28, 2017 | https://www.sans.org/event/london-march-2017

--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017

--SANS ICS Security Summit & Training | Orlando, FL | March 20-27, 2017 | https://www.sans.org/event/ics-security-summit-2017

--SANS Pen Test Austin 2017 | March 27-April 1 https://www.sans.org/event/pentest2017

--SANS 2017 | Orlando, FL | April 7-14 https://www.sans.org/event/sans-2017

--Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017

--SANS Baltimore Spring 2017 | April 24-29 https://www.sans.org/event/baltimore-spring-2017

--SANS London July 2017 | July 3-8 https://www.sans.org/event/london-july-2017

--SANS Cyber Defence Singapore | July 10-15 https://www.sans.org/event/cyber-defence-singapore-2017

--SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.

--OnDemand - https://www.sans.org/ondemand/specials

--vLive - https://www.sans.org/vlive/specials

--Single Course Training

SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/

--View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

The Seven Most Dangerous New Attack Techniques (February 15, 2017)

Wednesday morning at the RSA 2017 Security the keynotes began with SANS faculty Ed Skoudis, Michael Assante, and Johannes Ullrich presenting the 10th annual "seven most dangerous new cyberattacks" and including techniques for mitigation. One of the most provocative was Ed Skoudis' description of the intersection of ransomware and IOT asking, "how much would you pay to get your factory working again?" The seven new techniques they covered are summarized at https://www.sans.org/the-seven-most-dangerous-new-attack-techniques?utm_campaign=annoucement_bar&utm_source=sans&utm_content=3432

And the full presentation is available at https://www.rsaconference.com/videos/the-seven-most-dangerous-new-attack-techniques-and-whats-coming-next2017

Read more in:

ZDNet: The seven most dangerous attack techniques: A SANS institute rundown
http://www.zdnet.com/article/the-seven-most-dangerous-attack-techniques-a-sans-institute-rundown/

eWeek: Ransomeware Heads List of 7 Most Dangerous New Cyber-Attack Techniques
http://www.eweek.com/security/ransomeware-heads-list-of-7-most-dangerous-new-cyber-attack-techniques.html

SC Magazine: Ransomware, IoT combo lead SANS list of dangerous attack techniques
https://www.scmagazine.com/ransomware-iot-combo-lead-sans-list-of-dangerous-attack-techniques/article/638341/

Android Malware Hits Israeli Soldiers' Phones (February 16, 2017)

Android phones belonging to more members of the Israel Defense Forces (IDF) were infected with malware from a cyberespionage group, according to research from Kaspersky Lab and Lookout. The malware made its way onto the devices through deceptive social media accounts and stole information from the devices of more than 100 IDF members. A similar attack targeted mobile phones used by Ukrainian artillery personnel.

Read more in:

Computerworld: Israeli soldiers hit by Android malware from cyberespionage group
http://computerworld.com/article/3171148/security/israeli-soldiers-hit-by-android-malware-from-cyberespionage-group.html

CyberScoop: Israeli soldiers' personal Android phones hacked by spies, researcher say
https://www.cyberscoop.com/israeli-soldiers-personal-android-phones-hacked-spies-researchers-say/?category_news=technology

Microsoft's Brad Smith Calls for Digital Geneva Convention (February 14 & 15, 2017)

Microsoft president Brad Smith told an audience at a keynote speech at the RSA Security Conference, "We now need a Digital Geneva Convention that will commit governments to protecting civilians from nation-state attacks in times of peace." Smith called on the tech sector to "commit ourselves to collective action that will make the internet a safer place."

Read more in:

Microsoft: The need for a Digital Geneva Convention
https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/#sm.0000007mx8kgaypf2hxpi5ku113c3

Technology Review: Do We Need a Digital Geneva Convention?
https://www.technologyreview.com/s/603639/do-we-need-a-digital-geneva-convention/

CNET: Microsoft wants 'Digital Geneva Convention' on cyberattacks
https://www.cnet.com/news/microsoft-digital-geneva-convention-brad-smith/

McCaul at RSA: U.S. Must Improve Approach to Cyber Security (February 14 & 15, 2017)

In a keynote address at RSA Conference in San Francisco, U.S. Representative Michael McCaul (R-Texas), who chairs the House Homeland Security Committee, said that the U.S. is "in the digital fight of our lives." McCaul said that the U.S. needs to establish an effective deterrence policy for bad actors; to improve information sharing; to find a solution to the privacy and encryption issue that does not include backdoors; and to make recruiting and retaining skilled cybersecurity workers a priority.

Read more in:

eWeek: Homeland Security Chairman: We're in the Fight of Our Digital Lives
http://www.eweek.com/security/homeland-security-chairman-were-in-the-fight-of-our-digital-lives.html

FCW: McCaul describes a bleak cyber landscape
https://fcw.com/articles/2017/02/14/mccaul-rsa-carberry.aspx

The Register: No crypto backdoors, more immigration ... says Republican head of House Committee on Homeland Security
http://www.theregister.co.uk/2017/02/14/republican_homeland_security_committee/


*************************** SPONSORED LINKS *****************************

1) Remediant = next-gen Privileged Access Management solution. Learn more: http://www.sans.org/info/192227

2) Learn how to select a SIEM for targeted attack detection that reflect Gartner's recommendations. http://www.sans.org/info/192232

3) ICS security: SANS needs your input on attacks and threats and how you're preventing and mitigating them in the industrial control systems environments. Share your experiences and enter to win a $400 Amazon gift card! http://www.sans.org/info/192237

***************************************************************************

THE REST OF THE WEEK'S NEWS

Pentagon Hired Researchers to Plumb Internal Systems for Vulnerabilities (February 12 & 14, 2017)

The Pentagon hired security researchers to find critical flaws in some of its internal systems. A group of 80 vetted researchers participated in the pilot program, which lasted approximately one month. The first flaw was found within the first few hours of the program. The Pentagon did not disclose the number or nature of the vulnerabilities, but they are being fixed.

[Editor Comments]
[Pescatore] Another managed bug bounty program success story, with the emphasis on "managed." However, the three efforts run against DoD systems have found lots of low hanging fruit - which just points out the federal government's Certification/Authorization/Authority to Operate approach is ineffective and inefficient. There has also been a glaring lack of the civilian side of the federal government launching similar programs, and they are badly needed there, as well.

Read more in:

FedScoop: Pentagon hackers-for-hire take just 4 hours to find critical vulnerability in sensitive system
https://www.fedscoop.com/pentagon-hackers-hire-take-just-4-hours-find-critical-vulnerability-sensitive-system/

Bloomberg: Pentagon Hires Hackers to Target Sensitive Internal Systems
https://www.bloomberg.com/news/articles/2017-02-13/pentagon-hires-hackers-to-target-sensitive-internal-systems

Analysis Identifies Shamoon Attack Vectors (February 16, 2017)

Researchers at IBM's X-Force Incident Response and Intelligence Services believe they have identified methods attackers use to infect computers with the Shamoon disk-wiping malware. The process begins with spear phishing email messages that contain a maliciously-crafted Word document. The document contains a macro that executes PowerShell scripts, which download and execute other scripts from certain IP addresses. The IBM researchers have also identified two domains used to host Shamoon's malicious executables. IBM recommends blocking connections to the domains as well as to the several IP addresses from which malicious code is downloaded.

Read more in:

The Register: Revealed: Web servers used by disk-nuking Shamoon cyberweapon
http://www.theregister.co.uk/2017/02/16/researchers_catch_drivedestroying_domains_for_cyberwar_shamoon_malware/

U.S. Legislators Question Use of Secure Messaging Apps at EPA (February 10, 15, & 16, 2017)

U.S. legislators are seeking an inquiry into reports that staff at the Environmental Protection Agency (EPA) are using end-to-end encrypted messaging apps to communicate. The legislators say that the use of the apps such as Signal runs afoul of federal record-keeping requirements, which demand transparency. In a related story, reports suggest that "numerous senior GOP operatives and several members of the trump administration" may be using the Confide app, which also uses end-to-end encryption. Confide messages self-destruct.

Read more in:

CNET: GOP demands inquiry into EPA use of encrypted messaging apps
https://www.cnet.com/news/republicans-request-inquiry-into-epa-use-of-encryption-apps/
Ars Technica: House members; EPA officials may be using Signal to "spread their goals covertly"

https://arstechnica.com/tech-policy/2017/02/house-members-epa-officials-may-be-using-signal-to-spread-their-goals-covertly/
The Register: Republicans send anti-Signal signal to US EPA
http://www.theregister.co.uk/2017/02/15/republicans_signal_us_govt/

GCN: Self-destructing messages won't fly in government
https://gcn.com/articles/2017/02/10/message-deletion-records-laws.aspx?admgarea=TC_SecCybersSec

eWeek: Washington Elites Use Secure Messaging Apps to Keep or Leak Secrets
http://www.eweek.com/security/washington-elites-use-secure-messaging-apps-to-keep-or-leak-secrets.html

Microsoft's February Security Update Delayed Until March (February 15, 2017)

Microsoft product security updates originally scheduled for release on February 14, 2017 will be included in the March 14, 2017 batch instead. Microsoft made the decision to delay the release due to "a last minute issue that could impact some customers." Users had been expecting a fix for a zero-day Windows SMB vulnerability that has been exploited in the wild. CERT has suggested a workaround for the issue in its Vulnerability Note.

[Editor Comments]
[Pescatore] Microsoft made the right decision: one bad patch that disrupts business operations can be a huge setback in making progress to shorten the time between patches come out and when operational systems are updated. The irony is that this announcement came on the same day that Microsoft President Brad Smith was speaking at the RSA Conference, where he never once mentioned anything Microsoft was doing to increase the quality of patches, let alone have a month (or more) with no patches...

Read more in:

Technet: February 2017 security update release
https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/

ZDNet: Microsoft to delay its February patches to March 14
http://www.zdnet.com/article/microsoft-to-delay-its-february-patches-to-march-14/

Ars Technica: Microsoft delays Patch Tuesday as world awaits fix for SMB flaw
https://arstechnica.com/information-technology/2017/02/microsoft-delays-patch-tuesday-as-world-awaits-fix-for-smb-flaw/

CERT: Microsoft Windows SMB Tree Connect Response denial of service vulnerability
https://www.kb.cert.org/vuls/id/867968

Yahoo Notifying Users Their Accounts May Have Been Accessed in Forged Cookie Attack (February 15, 2017)

Yahoo has recently notified some users that their accounts may have been breached in the past two years. The attackers used forged cookies to access the accounts. Yahoo disclosed the forged cookie attack in an October 2016 Securities and Exchange Commission (SEC) filing. Yahoo also disclosed two massive data breaches last year.

[Editor Comments]
[Northcutt] When you are logging on to a web site and they say you can authenticate with your FaceBook or Yahoo, or Google or whatever account, Don't do it. Have a unique login for every account and never link one to another. That will not solve everything, but it will reduce your risk. And I realize that people that do not work in security would not like to delete cookies, but as a security professional, try to default to no cookies on your main browser and the one you use to set airline reservations etc, that needs cookies, clean them out on a regular basis. Yes, it is a hassle because you have to log in again and yes, it reduces your attack surface area.

Read more in:

SC Magazine: Yahoo issues new breach warning; Verizon shaves $300M off its Yahoo offer
https://www.scmagazine.com/yahoo-issues-new-breach-warning-verizon-shaves-300m-off-its-yahoo-offer/article/638309/

ZDNet: Yahoo warning users that hackers forged cookies to access accounts
http://www.zdnet.com/article/yahoo-warning-users-that-hackers-forged-cookies-to-access-accounts/

Ars Technica: Yahoo reveals more breachiness to users victimized by forged cookies [Updated]
https://arstechnica.com/information-technology/2017/02/yahoo-reveals-more-breachiness-to-users-victimized-by-forged-cookies/

CNET: Yahoo tells users they were hit with cookie attack
https://www.cnet.com/news/yahoo-tells-more-users-they-were-hit-with-cookie-attack/

Adobe Releases Flash Updates (February 15, 2017)

Adobe has released updates for Flash Player to fix more than a dozen vulnerabilities that could lead to code execution. The flaws include four use-after-free vulnerabilities; four memory corruption vulnerabilities; three heap buffer overflow vulnerabilities; one integer overflow vulnerability; and one type confusion vulnerability. Updates are available for Windows, Mac, Chrome OS, and Linux.

Read more in:

SC Magazine: Adobe issues patches, Microsoft's usual Patch Tuesday fixes delayed
https://www.scmagazine.com/adobe-issues-patches-microsofts-usual-patch-tuesday-fixes-delayed/article/638155/

Adobe: Adobe Security Bulletin
https://helpx.adobe.com/security/products/flash-player/apsb17-04.html

US Legislators Introduce Bills to Curtail Access to Geolocation Data Without a Warrant (February 15, 2017)

Bills introduced in the U.S. House and Senate aim to establish rules regarding law enforcement agencies' access to geolocation data. The Senate's Geolocation Privacy and Surveillance Act would establish rules for when law enforcement agencies may access geolocation data. The House's Cell Location Privacy Act of 2017 would require law enforcement to obtain a warrant prior to the use of cell-site simulators with exceptions for certain emergencies.

Read more in:

Ars Technica: Proposed federal law demands probable-cause warrants for geolocation data
https://arstechnica.com/tech-policy/2017/02/proposed-federal-law-demands-probable-cause-warrants-for-geolocation-data/

Computerworld: Legislation revived to curb warrantless geolocation tracking
http://computerworld.com/article/3170805/security/legislation-revived-to-curb-warrantless-geolocation-tracking.html

Ukraine Says Russia is Launching Cyberattacks Against Infrastructure (February 15, 2017)

Ukraine has alleged that cyberattacks backed by Russia are targeting systems at elements of the country's critical infrastructure, including financial organizations and the power grid. The malware used in the recent attacks appears to be related to BlackEnergy malware. In a separate story, researchers say that computers at critical infrastructure, media, and research organizations in Ukraine are being infected with malware that allows attackers to eavesdrop and steal data. The group behind the scheme is being called BugDrop; it is believed to be backed by a nation-state.

[Editor Comments]
[Assante] Having data stolen from critical infrastructure organizations should set off the internal alarms to review and monitor all the attack paths from your enterprise systems to your ICS. Depending on the information that can be collected you may have illuminated the way and provided enough information to devise an attack concept.

Read more in:
Reuters: Ukraine charges Russia with new cyber attacks on infrastructure
http://www.reuters.com/article/us-ukraine-crisis-cyber-idUSKBN15U2CN

CyberScoop: Spies used malware to eavesdrop Ukrainian businesses and media researcher say
https://www.cyberscoop.com/spies-used-malware-eavesdrop-ukrainian-businesses-media-researchers-say/

CPU Flaw Can Be Exploited to Bypass ASLR (February 14, 2017)

Researchers from the Netherlands have developed an attack technique that uses JavaScript to "undermine ... address-space layout randomization (ASLR)." The issue cannot be fixed with a software update because the method exploits a flaw in hardware. The attack exploits a side channel in the CPU memory cache.

Read more in:

Wired: A Chip Flaw Strips Away Hacking Protections for Millions of Devices
https://www.wired.com/2017/02/flaw-millions-chips-strips-away-key-hacking-defense-software-cant-fully-fix/

Ars Technica: New ASLR-busting JavaScript is about to make drive-by exploits much nastier
https://arstechnica.com/security/2017/02/new-aslr-busting-javascript-is-about-to-make-drive-by-exploits-much-nastier/

Computerworld: JavaScript-based attack simplifies browser exploits
http://computerworld.com/article/3170587/security/javascript-based-attack-simplifies-browser-exploits.html

The Register: ASLR-security-busting JavaScript hack demo'd by university boffins
http://www.theregister.co.uk/2017/02/14/aslr_busting_javascript_hack/


INTERNET STORM CENTER TECH CORNER

Microsoft Cancels Patch Tuesday https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/

Adobe Update For Flash https://helpx.adobe.com/security/products/flash-player/apsb17-04.html

WebSephere Update http://www-01.ibm.com/support/docview.wss?uid=swg21997743

Operation Kingphish https://medium.com/amnesty-insights/operation-kingphish-uncovering-a-campaign-of-cyber-attacks-against-civil-society-in-qatar-and-aa40c9e08852#.965et86vk

Hacking Node-Serialize http://blog.websecurify.com/2017/02/hacking-node-serialize.html

How Was Your Stay At The Hotel La Playa https://isc.sans.edu/forums/diary/How+was+your+stay+at+the+Hotel+La+Playa/22069

XAgent OS X Malware https://labs.bitdefender.com/2017/02/new-xagent-mac-malware-linked-with-the-apt28/

Conference Phone Compromise https://www.contextis.com//resources/blog/phwning-boardroom-hacking-android-conference-phone/



***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create