SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #15
February 21, 2017TOP OF THE NEWS
Data Breach Costs $350 Million in Verizon Purchase of Yahoo
Google's Project Zero Discloses Details of Windows Graphics Library Flaws
Nearly Three Years in Prison for Disgruntled Former Employee
NIST Seeking Input on Grid Protection Guide
THE REST OF THE WEEK'S NEWS
Kim Dotcom Loses Extradition Fight
Search Engines Will Demote Piracy Sites in UK Search Results
Russian Terms in Banking Malware Seen as Decoy
FBI Looking Into Russian Election Meddling
Election Systems Designation as Critical Infrastructure Raises Questions
Used Connected Cars Pose Security Risk
Some Android Apps Put Cars at Increased Risk of Theft
German Government Agency Bans Talking Doll Over Privacy and Security Concerns
Krebs-Focused Cybercriminals Have Received Sentences
Financial Industry Cyber Security Regulations in NY Take Effect Next Month
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER***************************Sponsored By Malwarebytes*********************Cyberattacks and cybersecurity, or a lack thereof, grabbed media attention on both the corporate and consumer sides, even becoming a key issue in the US presidential election. In this respect, you could say that everyone, even those who have never logged on, was affected by cyberattacks and hacking in 2016. Check out this research paper." http://www.sans.org/info/192247 ***************************************************************************
TRAINING UPDATE
-- SANS London March 2017 | London, GB | March 13-28, 2017 | https://www.sans.org/event/london-march-2017
-- SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017
-- SANS ICS Security Summit & Training | Orlando, FL | March 20-27, 2017 | https://www.sans.org/event/ics-security-summit-2017
-- SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017
-- SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017
-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017
-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/***************************************************************************
TOP OF THE NEWS
Data Breach Costs $350 Million in Verizon Purchase of Yahoo (February 21, 2017)
Verizon and Yahoo have agreed to cut the acquisition price by $350 million following Yahoo's disclosures in recent months of two massive security breaches affecting more than one billion users.[Editor Comments]
[Pescatore] Not only did Yahoo's security breach cause Verizon to reduce by $350M what they were willing to pay for Yahoo's Internet business, but Yahoo also had to agree to pay for 50% of any future costs. That essentially means Yahoo's failures in security cost the company at least $700M in revenue from the sale and that is on top of the costs they have already incurred in dealing with the breach, which likely at least doubles the impact - a $1.5B hard cost. That will definitely get the attention of Boards of Directors - making this news item a good opportunity for CISOs to advance strategies and plans for changes needed to make sure it doesn't happen to their companies.
[Editor Comments]
[Murray]"You can pay me now, or you can pay me later." But you must pay. You can pay for security or you can pay for losses. But you must pay. You can pay the direct cost of a breach early or the indirect cost late. But you must pay. Security costs are manageable and predictable; losses are not. It is sometimes easier to find the money to cover losses (there is always money to do that which must be done), than to budget for security. Luck is not a strategy. Hope is not a strategy. Read more in:
Verizon cuts Yahoo deal price by $350 million http://money.cnn.com/2017/02/21/technology/yahoo-verizon-deal/
Why Verizon Decided to Still Buy Yahoo After Big Data Breaches https://www.wsj.com/articles/why-verizon-decided-to-still-buy-yahoo-after-big-data-breaches-1487679768?mod=djemalertTECH
Google's Project Zero Discloses Details of Windows Graphics Library Flaws (February 20, 2017)
Google's Project Zero has published details of vulnerabilities in the Windows Graphic Component GDI library. Microsoft's scheduled security update for February was expected to include fixes for the issue, but Microsoft has delayed the updates until March. Microsoft released a patch for the issue last June, but Project Zero maintains that the patch only partially addressed the problem.[Editor Comments]
[Pescatore] Google's Project Zero rules allow a 14 day extension on top of the 90 days if a patch will be released within the 14 days. However, Microsoft is still sticking to a rigid monthly patch release cycle, making the fix fall past the 30 days. Microsoft (and other enterprise software vendors were driven to those fixed patch release cycles by CIOs, while Apple, Google and other consumer oriented vendors release patches less predictably but more often. DevOps style acceleration needs to include accelerating patching cycles and requiring software vendors to do the same.
[Murray] "First, do no harm." Even if one grants Google's good intentions, real security people publish work-arounds, not vulnerabilities and certainly not exploits. It is arrogant to believe that one knows better how to meet a competitor's responsibilities or allocate his scarce resources than he does.
[Williams] This highlights the failure to adequately patch a vulnerability, a problem that occurs far too often. Another high profile example of this occurred when Microsoft failed to correctly patch the .LNK vulnerability used by Stuxnet. Microsoft originally patched the .LNK file vulnerability described by CVE-2010-2568 in 2010, but missed an important validation check that wasn't patched until 2015 as part of CVE-2015-0096 (https://threatpost.com/patched-windows-machines-exposed-to-stuxnet-lnk-flaw-all-along/111558/).
Read more in:
V3: Google security group slams Microsoft for Patch Tuesday delay http://www.v3.co.uk/v3-uk/news/3004963/google-security-group-slams-microsoft-for-patch-tuesday-delay
The Register: Google bellows bug news after Microsoft sails past fix deadline http://www.theregister.co.uk/2017/02/20/google_project_zero_discloses_microsoft_bug_again/
Nearly Three Years in Prison for Disgruntled Former Employee (February 16 & 18, 2017)
Brian P. Johnson has been sentenced to nearly three years in prison for damaging his former employer's computer system. After Johnson was fired from his position as sysadmin at Georgia-Pacific in February 2014, he was still able to access the company's computer system via VPN. Johnson accessed and damaged control and quality control systems. Johnson pleaded guilty to with intentionally damaging protected computers. He was also ordered to pay restitution of USD 1.13 million.[Editor Comments]
[Murray] Controls over privileged users continue to be higher risk than necessary, perhaps higher than acceptable. Almost none have given adequate consideration to normal termination, much less unfriendly termination. Before granting privileges, one must consider haw those privileges when it becomes necessary to do so.
Read more in:
The Register: Paper factory fired its sysadmin. He returned via VPN and caused $1m in damage. Now jailed http://www.theregister.co.uk/2017/02/18/it_admin_/
NewsAdvance: Revenge hacker: 34 months, must repay Georgia-Pacific $1.1 million http://www.newsadvance.com/work_it_lynchburg/news/revenge-hacker-months-must-repay-georgia-pacific-million/article_918afb52-f53f-11e6-947a-cff3d79da414.html
DoJ: Former Systems Administrator Sentenced to prison for Hacking into Industrial Facility Computer System https://www.justice.gov/usao-mdla/pr/former-systems-administrator-sentenced-prison-hacking-industrial-facility-computer
NIST Seeking Input on Grid Protection Guide (February 17, 2017)
The U.S. National Institute of Standards and Technology (NIST) is accepting public comment on a draft version of Cybersecurity Practice Guide SP 1800-7, Situational Awareness for Electric Utilities. The document is "a draft guide for electric utilities to detect and remediate cyber anomalies, investigate those incidents and share findings with other energy companies." NIST is accepting comments through April 17, 2017.[Editor Comments]
[Paller] Mike Assante, the RSA 2017 keynoter on how cyber attacks on utilities are carried out and what's coming next, makes the one key point that is COMPLETELY missed in the NIST authors - that tools (the NIST study recommends utilities buy several) are ineffective unless the skills of the technical staff are up to the job. Could it be that the authors at NIST do not have the technical skills to find intruders either, so they don't know the value of those skills?
[Northcutt] This is pretty cool. NIST took the time to work with vendors in the field.
Read more in:
Nextgov: NIST wants to know how utility companies can deter hackers http://www.nextgov.com/cybersecurity/2017/02/nist-wants-know-how-utility-companies-deter-hackers/135555/?oref=ng-channeltopstory
NIST: NIST Cybersecurity Practice Guide, Special Publication 1800-7: "Situational Awareness for Electric Utilities" ?https://nccoe.nist.gov/projects/use_cases/situational_awareness
***************************SPONSORED LINKS********************************
1) Non-Malware Attacks and Ransomware Take Center Stage - Download the Report. http://www.sans.org/info/192267
2) Join RSA identity experts to learn how the right identity and access management technology can help you. Register: http://www.sans.org/info/192257
3) Real DevSecOps for the Security Practitioner. Register to Learn more: http://www.sans.org/info/192262
******************************************************************************
THE REST OF THE WEEK'S NEWS
Kim Dotcom Loses Extradition Fight (February 18 & 20, 2017)
New Zealand's High Court has ruled that Megaupload founder Kim Dotcom can be extradited to the United States. Authorities in the U.S. have been seeking extradition of Dotcom and three associates since 2012. All four plan to appeal the ruling.Read more in:
BBC: Kim Dotcom can be extradited, New Zealand High Court rules http://www.bbc.com/news/world-asia-39024596
WSJ: Kim Dotcom Loses Appeal on U.S Extradition https://www.wsj.com/articles/kim-dotcom-loses-appeal-on-u-s-extradition-1487565638
CNET: Kim Dotcom eligible for extradition to US in Megaupload case https://www.cnet.com/news/kim-dotcom-eligible-for-extradition-to-usa-megaupload-new-zealand-high-court/
Search Engines Will Demote Piracy Sites in UK Search Results (February 20, 2017)
The Google and Microsoft's Bing search engines will demote sites that offer pirated music, film, and sports content. The companies have signed a voluntary code of practice with the British Phonographic Industry (BPI) and Motion Picture Association promising to reduce "the visibility of infringing content in search results by 1 June 2017."[Editor Comments]
[Pescatore] Search engines making it harder for users to access dangerous or illegal content is a good thing, and most advertisers (the revenue source for search engines) don't want their ads showing up next to such content. Since ISPs' revenue is based on more bits flowing, they have no business incentive to block known malware or pirated content. ISPs in some countries have similar voluntary codes to block known attacks, but in the US it has been years of talk and no coordinated action.
Read more in:
BBC: Google and Bing to demote pirate sites in UK web searches http://www.bbc.com/news/technology-39023950
Ars Technica: Google and Microsoft agree to demote piracy search results in the UK https://arstechnica.com/gaming/2017/02/google-and-microsoft-demote-piracy-sites/
Russian Terms in Banking Malware Seen as Decoy (February 20 & 21, 2017)
Samples of the malware used in recent attacks against banks around the world contain poorly-translated Russian terms and commands. Researchers at BASE Systems who examined the code say it's likely an attempt to throw investigators off the trail. The attacks are believed to be the work of a cybercrime group known as Lazarus, which has targeted government and private company systems in the U.S. and South Korea.Read more in:
Computerworld: Hackers behind bank attack campaign use Russian decoy http://computerworld.com/article/3172119/security/hackers-behind-bank-attack-campaign-use-russian-decoy.html
ITNews: Malware authors camouflage code with Russian terms https://www.itnews.com.au/news/malware-authors-camouflage-code-with-russian-terms-452012
FBI Looking Into Russian Election Meddling (February 18 & 20, 2017)
The FBI is pursuing at least three probes into allegations Russia interfered with the U.S. presidential election in November. One FBI office is seeking to identify those responsible for breaking into the Democratic National Committee's computers in 2015 and 2016. Another office is trying to uncover the identity or identities behind an attacker who goes by the name Guccifer 2, and who posted emails stolen from Clinton campaign manager John Podesta. A third investigation is looking into payments made from Russia to shell companies that may have ties to associates of government leaders.Read more in:
V3: FBI pursues cyber leads over Russian meddling in US elections http://www.v3.co.uk/v3-uk/news/3004935/fbi-pursues-cyber-leads-over-russian-meddling-in-us-elections
The Hill: FBI pursuing at least 3 probes of Russian-backed hacking: report http://thehill.com/blogs/blog-briefing-room/news/320272-fbi-pursuing-3-investigations-of-russian-hacks
Reuters: U.S. inquiries into Russian election hacking include three FBI probes http://www.reuters.com/article/us-usa-trump-russia-cyber-idUSKBN15X0OE
Election Systems Designation as Critical Infrastructure Raises Questions (February 17, 2017)
At the U.S. National Association of Secretaries of State winter meeting, attendees expressed concern about what the Department of Homeland Security's (DHS's) designation of elections systems as critical infrastructure. Many want to know what DHS's role will be in their state elections. Neil Jenkins, chief of policy and planning at DHS, spoke on a panel at the conference. Jenkins noted that the goal of the designation is "not about more regulation and oversight," but is instead a starting point for sharing information.[Editor Comments]
[Pescatore ] The phrase "I'm from DHS and I'm here to help" is not something that is associated with positive progress in security, unfortunately. If this will be a starting point for "sharing information" then DHS providing states with useful information, vs. asking "Tell us about your vulnerabilities" would be a good way to DHS to start earning a better reputation.
Read more in:
FCW: States still seek answers on election tech https://fcw.com/articles/2017/02/17/states-critical-infrastructure-election.aspx
Used Connected Cars Pose Security Risk (February 17 & 20, 2017)
IBM's Charles Henderson told an audience at the RSA Security Conference in San Francisco how he was able to remotely access systems on a car he had traded in several years earlier. Even though Henderson did a factory reset to remove all personal data from the car before he sold it, the car remained connected to the app on his phone. Even when the app is deleted from a phone, information still in the cloud is not as simple to delete.Read more in:
The Register: Connected car in the second-hand lot? Don't buy it if you're not hack-savvy http://www.theregister.co.uk/2017/02/20/connected_car_in_the_secondhand_lot_dont_buy_it_if_youre_not_hacksavvy/
BBC: Warning on used on cars failing to forget old owners http://www.bbc.com/news/technology-39027458
eWeek: IBM Reveals Security Risks to owners of Previously Owned IoT Devices http://www.eweek.com/security/ibm-reveals-security-risks-to-owners-of-previously-owned-iot-devices.html
Some Android Apps Put Cars at Increased Risk of Theft (February 16 & 20, 2017)
Researchers from Kaspersky Lab tested nine car-related Android apps and found that most lacked adequate security. If attackers can gain root access to the devices, they could potentially locate, unlock, and in some cases start associated cars.Read more in:
Wired: Android Phone Hacks Could Unlock Millions of Cars https://www.wired.com/2017/02/hacked-android-phones-unlock-millions-cars/
The Register: Beeps, roots and leaves: Car-controlling Android apps create theft risk http://www.theregister.co.uk/2017/02/20/android_auto_app_insecurity/
German Government Agency Bans Talking Doll Over Privacy and Security Concerns (February 17 & 18, 2017)
Germany's Federal Network Agency, a government regulatory body, has banned a talking doll over concerns that the technology it uses could threaten children's privacy and security. The agency is advising parents to destroy the Cayla doll, which is engineered to have conversations with children. The doll contains an unsecured Bluetooth device that could be exploited to eavesdrop and to talk to children. Privacy advocates in the U.S. have also filed a complaint with the Federal Trade Commission (FTC), saying that the doll allowed companies to collect information about children and advertise other products.[Editor Comments]
[Murray] Our children are going to live in a world in which many of their toys talk and listen, and generally tell the truth. Every now and then they must check with dad. They will live in a world where skill in asking questions and forming queries will be second only to that of evaluating the answers that they get. They will learn these skills in play. Their play is risky and will always make their parents uncomfortable, not to say fearful.
[Williams] I seriously doubt Cayla is part of anyone's threat model. While I don't want any Bluetooth devices eavesdropping on my employees, this (very large) doll isn't exactly covert and represents a very low threat. There are much better things to spend your infosec cycles on than Calya. My daughter has the one that my company bought for research and I won't be destroying it.
Read more in:
The Register: Smash up your kid's Bluetooth-connected Cayla 'surveillance' doll, Germany urges parents http://www.theregister.co.uk/2017/02/17/cayla_doll_banned_in_germany/
SC Magazine: Talking doll susceptible to hack: Destroy it, says German agency https://www.scmagazine.com/talking-doll-susceptible-to-hack-destroy-it-says-german-agency/article/638723/
CS Monitor: Privacy concerns threaten sales of hi tech doll http://www.csmonitor.com/Technology/2017/0218/Privacy-concerns-threaten-sales-of-hi-tech-doll
Reuters: Germany bans talking doll Cayla, citing security risk http://www.reuters.com/article/us-germany-cyber-dolls-idUSKBN15W20Q
Krebs-Focused Cybercriminals Have Received Sentences (February 17, 2017)
In two separate cases, two men who targeted Brian Krebs with malicious attacks - one arranged for heroin to be sent to Krebs's home and the other placed a phony call to emergency services that resulted in a SWAT team arriving at Krebs's home - have received sentences. The man who tried to frame Krebs for receiving drugs in the mail has been sentenced to 41 months in prison on unrelated cybercrime charges. The man who swatted Krebs was sentenced to three years of probation.Read more in:
KrebsOnSecurity: Men Who Sent Swat Team, Heroin to My Home Sentenced https://krebsonsecurity.com/2017/02/men-who-sent-swat-team-heroin-to-my-home-sentenced/
BBC: Guru Brian Krebs' attackers sentenced for data theft http://www.bbc.com/news/technology-39027455
Financial Industry Cyber Security Regulations in NY Take Effect Next Month (February 17, 2017)
New York State Department of Financial Services cybersecurity regulations for financial institutions and insurance companies will take effect on March 1, 2017. The regulations require institutions to have a CISO, use multifactor authentication, and report breaches within 72 hours. Organizations must also develop a cybersecurity program and a written incident response plan. While the regulations take effect on March 1, organizations have 180 days to come into compliance, and there are longer grace periods for certain provisions.[Editor Comments]
[Williams] The requirement for a documented incident response plan is an excellent step for increasing security as is the requirement to have a CISO. However, where's the requirement to have a third party penetration test. I understand the value of using internal teams for continuous vulnerability assessment. But periodic third party security helps avoid the group think that often takes hold of internal teams.
Read more in:
BankInfoSecurity: Reworked N.Y. Cybersecurity Regulation Takes Effect in March http://www.bankinfosecurity.com/reworked-ny-cybersecurity-regulation-takes-effect-in-march-a-9733
INTERNET STORM CENTER TECH CORNER
AVM Private Key Leak Puts Cable Modems at Risk
https://isc.sans.edu/forums/diary/AVM+Private+Key+Leak+Puts+Cable+Modems+Worldwide+At+Risk/22076/OpenSSL Update
https://isc.sans.edu/forums/diary/OpenSSL+110e+Update+No+need+to+panic+openssl/22074/Microsoft Update Delayed
https://blogs.technet.microsoft.com/msrc/2017/02/14/february-2017-security-update-release/ANC Attack ASLR Bypass
https://www.vusec.net/projects/anc/RTRBK: Router, Switch, Firewall Backups in Powershell
https://isc.sans.edu/forums/diary/RTRBK+Router+Switch+Firewall+Backups+in+PowerShell+tool+drop/22079/Windows EMF Imge 0-Day Memory Leak
https://bugs.chromium.org/p/project-zero/issues/detail?id=992Brazilian Traffic Ticket Malspam
https://isc.sans.edu/forums/diary/Brazilian+malspam+sends+Autoitbased+malware/22081/Using XXE To Send E-Mail
https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/Hardening Postfix Against FTP Relay Attacks
https://isc.sans.edu/forums/diary/Hardening+Postfix+Against+FTP+Relay+Attacks/22086/Kaspersky Examines Mobile Car Apps
https://securelist.com/analysis/publications/77576/mobile-apps-and-stealing-a-connected-car/Cars "Remember" Prior Owners
http://money.cnn.com/2017/02/17/technology/used-car-hack-safety-location/Xen Project Reconsidering Vulnerability Disclosure Policy
https://blog.xenproject.org/2017/02/14/request-for-comment-scope-of-vulnerabilities-for-which-xsas-are-issued/Stagefright Vulnerability had minimal effect on Android Security
https://www.rsaconference.com/speakers/adrian_ludwig***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create