SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #17
February 28, 2017TOP OF THE NEWS
GAO Report on U.S. Grid Resilience
Digital Copyright Holders Want US ISPs to Filter Out Pirated Content
Implications of SHA-1 Collision Attack for Code Repositories
THE REST OF THE WEEK'S NEWS
Windows 10 Creators Update to Offer Option of Allowing Only Windows Store Apps
Proposed Legislation in UK Would Allow Justice Secretary to Order the Use of IMSI Catchers Around Prisons
D-Link Releases Fix for Switch Flaws
Voice Messages from Internet-Connected Toys Stolen, Held for Ransom
Project Zero Discloses Another Microsoft Vulnerability
Two People Charged in Connection with Gas Pump Skimming Scheme
Airport Servers Exposed
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER***************************Sponsored By Malwarebytes******************* Cyberattacks and cybersecurity, or a lack thereof, grabbed media attention on both the corporate and consumer sides, even becoming a key issue in the US presidential election. In this respect, you could say that everyone, even those who have never logged on, was affected by cyberattacks and hacking in 2016. Check out this research paper." http://www.sans.org/info/192387 ***************************************************************************
TRAINING UPDATE
-- SANS London March 2017 | London, GB | March 13-28, 2017 | https://www.sans.org/event/london-march-2017
-- SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017
-- SANS ICS Security Summit & Training | Orlando, FL | March 20-27, 2017 | https://www.sans.org/event/ics-security-summit-2017
-- SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017
-- SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017
-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017
-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/***************************************************************************
TOP OF THE NEWS
GAO Report on U.S. Grid Resilience (February 27, 2017)
According to a report from the U.S. Government Accountability Office (GAO), the Department of Energy, the Department of Homeland Security, and the Federal Energy Regulatory Commission have worked together on 27 energy grid resiliency programs since 2013. The 27 projects address cybersecurity, physical security, and natural disasters. While some of the resilience programs overlap one another, GAO found that costs were not duplicated.[Editor Comments]
[Murray] We desperately need a metric (e.g., mean-time to a 90% service level from a massive failure?) for infrastructure resilience. William Thomson, Lord Kelvin, taught that if you cannon measure it you cannot recognize its presence or its absence. W. Edwards Deming taught us that if you cannot measure it, you cannot improve it.
Read more in:
CyberScoop: Report: Electrical grid cybersecurity efforts across U.S. government are 'fragmented' https://www.cyberscoop.com/electrical-grid-cybersecurity-doe-dhs-gao-report/ GAO: Federal Efforts to Enhance Grid Resilience http://www.gao.gov/products/GAO-17-153
Digital Copyright Holders Want US ISPs to Filter Out Pirated Content (February 26, 2017)
The Recording Industry Association of America (RIAA) and other digital copyright groups are asking U.S. legislators to require Internet service providers (ISPs) to filter out pirated content. Currently, the Digital Millennium Copyright Act (DMCA) offers ISPs safe harbor as long as they remove identified pirated content "expeditiously." The groups say that the current DMCA notice-and-takedown process is "burdensome - and ultimately ineffective."[Editor Comments]
[Pescatore] Last week, Google and Bing signed agreements to filter links to pirated content in the UK from their search engines, a good thing. ISPs filtering known pirated content in the US could also be a good thing - especially if it then leads to the ISPs filtering known malware or attacks. Since illegal or malicious contents represents more than 60% of the bits flowing into Internet connections, the ISPs have long avoided doing so.
[Murray] Copyright holders should not be able to mandate costs on others to prop up their broken pricing scheme. When one's cost of replication falls, one should lower one's price and make up the profit in increased volume.
[Williams] I feel for copyright holders and have been on both sides of the DMCA myself. But the DMCA is bad legislation overall and this request would only make it worse. In order to implement the proposed requirement, ISP's would have to monitor all Internet traffic in inspect content to discover pirated content. This would be a disaster for privacy, especially if ISP's were required to decrypt traffic to find pirated content. Well-meaning legislation (protecting copyright holders) often has horrible side effects, particularly for privacy.
Read more in:
Ars Technica: Forget DMCA takedowns - RIAA wants ISPs to filter for pirated content https://arstechnica.com/tech-policy/2017/02/forget-dmca-takedowns-riaa-wants-isps-to-filter-for-pirated-content/ Softpedia: RIAA, Other Copyright Holder Want ISPs to Introduce Piracy Filters http://news.softpedia.com/news/riaa-other-copyright-holders-want-isps-to-introduce-piracy-filters-513328.shtml
Implications of SHA-1 Collision Attack for Code Repositories (February 26 & 27, 2017)
The SHA-1 collision attack announced last week could be used to break code repositories that use the Subversion (SVN) revision control system. The WebKit browser engine repository was corrupted by a demonstration of the method just hours after researchers from Google and the Netherlands announced their findings. Git (and Linux) founder Linus Torvalds is not very concerned about such an attack, because, he said, implementing some simple checks could thwart the attacks.[Editor Comments]
[Murray] This demonstration tells security people what the strength and limitations of SHA-1 are, not that it is ineffective or unusable. While the cost of this attack will fall, perhaps even exponentially, we have ample time to address it.
[Honan] I agree with Linus Torvalds when he says "The sky isn't falling" in relation to this issue. While we still don't implement basic defences properly to defend against the likes of ransomware, phishing, etc. we need to focus on those basics tenets rather than the exotic attacks such as SHA-1 collisions
Read more in:
Computerworld: SHA-1 collision can break SVN code repositories http://computerworld.com/article/3174679/security/sha-1-collision-can-break-svn-code-repositories.html ZDNet: Linus Torvalds on SHA-1 and Git: 'The sky isn't falling' http://www.zdnet.com/article/linus-torvalds-on-sha-1-and-git-the-sky-isnt-falling/ The Register: Git fscked by SHA_1 collision? Not so fast, says Linus Torvalds http://www.theregister.co.uk/2017/02/26/git_fscked_by_sha1_collision_not_so_fast_says_linus_torvalds/ *************************** SPONSORED LINKS ********************************
1) Endpoint Protection...What really matters? Register now for this 5-part Webcast Series: http://www.sans.org/info/192392 2) Ready to Replace AV? Download the Corporate Antivirus Comparison Checklist: http://www.sans.org/info/192397 3) How the new Preemptive Incident "Response methodology can slash end-to-end IR time for SOC teams to minutes and solve alert fatigue" Register: http://www.sans.org/info/192422 ******************************************************************************
THE REST OF THE WEEK'S NEWS
Windows 10 Creators Update to Offer Option of Allowing Only Windows Store Apps (27 & 28 February 2017)
A new option in the forthcoming Windows 10 Creators Update will allow the blocking of apps that are not from the Windows Store. The option would prevent classic Win32 apps from downloading, which could reduce the presence of bloatware and malware. Windows 10 does support Win32 apps, but only UWP apps may be distributed through the Microsoft Store. The Creators Update is expected to be released in April.[Editor Comments]
[Pescatore] Apple iOS and Google Android have been making app stores the default for years now and the vast majority of users prefer that approach! It is long past time for Microsoft to work to drive the Windows world in the app store direction as the default. If gamers and other high end users want to disable it, no problem - but out of the box "curated" software controls should be the norm. Of course, Microsoft would have to invest in having a large and secure app store...
[Murray] I agree with John Pescatore. It is high time that Microsoft put security ahead of openness for openness sake and backward compatibility.
[Honan] Using the Windows Store is one way that Windows Mobile on Microsoft Smartphones prevents malware etc. from loading onto the device. However, as with all security controls we should not rely on just one control and restricting access to the Windows Store should not be an excuse to remove other anti-malware controls.
Read more in:
ZDNet: Windows 10 to permit block on apps installing if they're not from Microsoft Store http://www.zdnet.com/article/windows-10-to-permit-block-on-apps-installing-if-theyre-not-from-microsoft-store/ The Register: Microsoft slaps Apple Gatekeeper-like controls on Windows 10: Install only apps from store http://www.theregister.co.uk/2017/02/28/microsoft_restricts_windows_software/
Proposed Legislation in UK Would Allow Justice Secretary to Order the Use of IMSI Catchers Around Prisons (February 27, 2017)
Legislation introduced in British Parliament last week would allow the use of IMSI catchers, or cell-site simulators, around prisons. The Justice Secretary would have the authority to order mobile networks to deploy the technology near prisons to prevent, detect, or investigate the use of mobile phones in prisons. Currently, the technology can be used only within prison walls and must be commissioned by prison governors.Read more in:
The Register: New prison law will let mobile networks deploy IMSI catchers http://www.theregister.co.uk/2017/02/27/prison_courts_bill_imsi_catcher_wireless_interference/ SC Magazine: New bill to allow prisons to deploy IMSI catchers outside of prisons https://www.scmagazineuk.com/new-bill-to-allow-prisons-to-deploy-imsi-catchers-outside-of-prisons/article/640389/
D-Link Releases Fix for Switch Flaws (February 27, 2017)
D-Link has released a firmware update to address authentication bypass and information disclosure flaws in its DGS-1510 Websmart switch series. The currently available patches are in beta release but the risks posed by the vulnerabilities are serious enough that users would be well-advised to update right away.Read more in:
The Register: D-Link resolves enterprise switch hacker risk http://www.theregister.co.uk/2017/02/27/dlink_router_flaw/ D-Link: D-Link DGS-1510 Websmart Switch Series - Security Patch: Beta release http://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10070
Voice Messages from Internet-Connected Toys Stolen, Held for Ransom (February 27, 2017)
Spiral Toys, which sells Internet connected stuffed animals called CloudPets that parents and children can use to send messages to each other, stored customer data in a public-facing database that required no authentication. The information was accessed and millions of messages have been held for ransom.[Editor Comments]
[Murray] Mostly harmless but there may be nasty edge cases. May be threatening to the continuity of Spiral Toys. Innovators would do well to ask early "what could possibly go wrong?"
Read more in:
CyberScoop: Internet-connected teddy bear company hacked, 2 million parent-child voice messages held ransom https://www.cyberscoop.com/internet-connected-teddy-bear-company-hacked-2-million-parent-child-voice-messages-held-ransom/ CNET: Smart toy flaws make hacking kids' info child's play https://www.cnet.com/news/cloudpets-iot-smart-toy-flaws-hacking-kids-info-children-cybersecurity/
Project Zero Discloses Another Microsoft Vulnerability (February 24 & 27, 2017)
Google's Project Zero has disclosed a flaw in Microsoft's Internet Explorer and Edge browsers that could be exploited to crash the browsers and execute code. Project Zero notified Microsoft about the issue on November 25 and expressed surprise that the vulnerability has not yet been patched.[Editor Comments]
[Williams] It's a little surprising that Microsoft didn't get patches out for this vulnerability that impacts such a wide user base. If anything, this illustrates just how hard it can be to meet Google's 90-day deadline. Without a deadline for release however, my experience is that most vendors will stall indefinitely always asking for more time. The vulnerability itself is a type confusion and is protected by Microsoft's Control Flow Guard (CFG), making exploitation more difficult to achieve. This difficulty may have contributed to Microsoft's decision to delay the patch.
Read more in:
ZDNet: Google: We're puzzled Windows 10's Edge, IE flaw hasn't been patched by Microsoft http://www.zdnet.com/article/google-were-puzzled-windows-10s-edge-ie-flaw-hasnt-been-patched-by-microsoft/ The Register: Google's Project Zero reveals another Microsoft flaw http://www.theregister.co.uk/2017/02/27/google_project_zero_reports_flaw_in_ie_edge/ Computerworld: Google discloses unpatched IE flaw after Patch Tuesday delay http://computerworld.com/article/3174192/security/google-discloses-unpatched-ie-flaw-after-patch-tuesday-delay.html Ars Technica: Google reports "high-severity" bug in Edge/IE, no patch available https://arstechnica.com/security/2017/02/high-severity-vulnerability-in-edgeie-is-third-unpatched-msft-bug-this-month/ Project Zero: Microsoft Edge and IE: Type confusion in HandleColumnBreakOnColumnSpanningElement https://bugs.chromium.org/p/project-zero/issues/detail?id=1011
Two People Charged in Connection with Gas Pump Skimming Scheme (February 23 & 27, 2017)
The U.S. Attorney has announced that two people have been charged with wire fraud, conspiracy to commit wire fraud, and aggravated identity theft for their alleged roles in a gas station card skimming scheme. The affected gas pumps are in Florida, Alabama, Tennessee, and Virginia.Read more in:
Dark Reading: Two Charged In Gas Station Cars-Skimming Scheme http://www.darkreading.com/attacks-breaches/two-charged-in-gas-station-card-skimming-scheme/d/d-id/1328267? DOJ: Two Individuals Charged for a Gas Station Debit Card Skimming Operation that Involved Multiple States (PDF) https://www.secretservice.gov/data/press/releases/2017/17-FEB/DOJ-Two-Charged-Skimming-Operation.pdf
Airport Servers Exposed (February 24 & 27, 2017)
Server backups for Stewart International Airport in New Windsor, New York were found to have been exposed on the Internet for nearly a year. Stewart International Airport lies roughly 60 miles north of New York City. Internet connected storage drive with backup images of the airport's servers - neither the drive nor the images were password protected. The contractor responsible for the issue was notified and the drive appears to have been secured.[Editor Comments]
[Northcutt] The security of backup data is always an an issue. However you do not expect it to be online and not password protected]
[Williams] This misconfiguration (and possible data loss) was caused by an a contractor. The key takeaway here is to examine your own service provider contracts and determine what responsibility the contracted party has to secure your data. Also determine what contract penalties apply if your data is not kept adequately secured. Finally, determine what their reporting requirements are - e.g. if they discover they have left your data exposed but fix the problem, are they required to notify you?
Read more in:
ZDNet: Security lapse exposed New York airport's critical servers for a year http://www.zdnet.com/article/unsecured-servers-at-new-york-airport-left-exposed-for-a-year/ ZDNet: Leaked documents reveal airport's catalog of security lapses http://www.zdnet.com/article/leaked-files-reveal-catalog-of-airport-security-lapses/
INTERNET STORM CENTER TECH CORNER
Cloudflare Leaks Data
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/IE/Edge Denial of Service
https://bugs.chromium.org/p/project-zero/issues/detail?id=1011#c2"Dynamite Phishing"
https://isc.sans.edu/forums/diary/Dynamite+Phishing/22121/Google Credentials Problems
https://productforums.google.com/forum/#!category-topic/gmail/LOt2x1_c3KMGoogle Chrome TLS 1.3 Update Causes Issues with Bluecoat
https://bugs.chromium.org/p/chromium/issues/detail?id=694593Windows 10 Will Implement "Gatekeeper" Like Technology
https://twitter.com/vitorgrs/status/835674417602637824Google Releases E2EMail Chrome Plugin
https://security.googleblog.com/2017/02/e2email-research-project-has-left-nest_24.htmlDecrypting SCOM "RunAs" Credentials
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/february/scomplicated-decrypting-scom-runas-credentials/***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create