SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIX - Issue #18

March 3, 2017

A tribute to Howard Schmidt

A man of great accomplishment and passion for cybersecurity passed away yesterday. Howard was one of the longest serving editors of this newsletter, and a few weeks ago he and his wife Raemarie invited me to the lake house in Wisconsin, so I could deliver the Lighthouse Award recognizing a lifetime of leadership in cybersecurity, and for a final hug.

John Pescatore, who led Gartner's cybersecurity group for half his career, spoke thusly of Howard in the Lighthouse Award statement:

"I first met Howard in the late 1990's when I was doing security consulting at Microsoft and Howard joined them as CISO. I immediately saw he was one of those CISOs who "got it" - focus on the things in security that are important to protecting the business and the customers and work to get security injected into all aspects of the business. Over the years he continued to bring that perspective to the government side and the private industry side and was always one who stayed pointed towards true security north."

Howard's career highlights:

"Howard Schmidt has had a long and distinguished career in cybersecurity, shining a bright light on important security issues in government and private industry for over 40 years. He started his career in the Air Force with both active military service and as a civilian employee with AF OSI. He then spent 15 years in law enforcement, first with the Chandler AZ police department and then the FBI. From 1997 to 2001, Howard was CISO at Microsoft before being appointed by President Bush as vice chair of the President's Critical Infrastructure Protection Board and as the special adviser for cyberspace security for the White House. He retired from government and became CISO at eBay before returning to government service in 2009 as President Obama's Cybersecurity Advisor until 2012."

Alan

TOP OF THE NEWS

Yahoo's Top Lawyer Resigns; CEO Will Not Receive Bonus
U.S. Army Perfects "Most Realistic" Cybersecurity Training Environment
Bills in U.S. Congress Would Require FCC to Adopt Stronger Data Security Stance
FCC Temporarily Stays Data Security Rule

THE REST OF THE WEEK'S NEWS

Windows 10 Creators Update Will Give Users More Control Over Update Timing
Cisco NetFlow Generation Appliance Vulnerability
House Committee Forwards Bill That Would Give NIST Auditing Authority
Google Expands Safe Browsing for Chrome on macOS
Malicious iframes in Google Play Apps
New Dridex Variant Employs AtomBombing
NY Financial Cybersecurity Regulations Take Effect
Amazon Cloud Storage Suffers Outage
WordPress NextGEN Gallery Plugin Vulnerability

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********** Sponsored By Malwarebytes ***********
Cyberattacks and cybersecurity, or a lack thereof, grabbed media attention on both the corporate and consumer sides, even becoming a key issue in the US presidential election. In this respect, you could say that everyone, even those who have never logged on, was affected by cyberattacks and hacking in 2016. Check out this research paper." http://www.sans.org/info/192507
***************************************************************************

---

TRAINING UPDATE

-- SANS London March 2017 | London, GB | March 13-28, 2017 | https://www.sans.org/event/london-march-2017

-- SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017

-- SANS ICS Security Summit & Training | Orlando, FL | March 20-27, 2017 | https://www.sans.org/event/ics-security-summit-2017

-- SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017

-- SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017

-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017

-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017

-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017

-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017

-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

Yahoo's Top Lawyer Resigns; CEO Will Not Receive Bonus (March 1, 2017)

Following an investigation prompted by the disclosure of a massive data breach, Yahoo's board of directors has said that the company's CEO, Marissa Mayer, will receive neither her 2016 cash bonus nor her 2017 equity grant. In addition, Yahoo's top attorney, Ronald Bell, has resigned. In the annual filing, Yahoo's board noted that "failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 security incident."

[Editor Comments]

[Honan] At long last: a message to CEOs to pay attention to cybersecurity.

[Paller] And a message to attorneys to be very careful about encouraging dissembling in language about breaches.

Read more in:

WSJ: Yahoo CEO Marissa Mayer Takes Pay Cut Over Security Breach x2028https://www.wsj.com/articles/yahoo-finds-failures-by-senior-executives-in-data-breach-response-1488408925
NYT: Yahoo's Top Lawyer Resigns and C.E.O. Marissa Mayer Loses Bonus in Wake of Hackx2028https://www.nytimes.com/2017/03/01/technology/yahoo-hack-lawyer-resigns-ceo-bonus.html
Computerworld: Yahoo execs botched response to 2014 breach, investigation finds http://computerworld.com/article/3176486/security/yahoo-execs-botched-its-response-to-2014-breach-investigation-finds.html

U.S. Army Perfects "Most Realistic" Cybersecurity Training Environment (March 2, 2017)

As the military services work to perfect techniques to build skills and trust in their cyber protection teams (CPTs), the U.S. Army has perfected an important ingredient: a realistic simulator that allows each member of the CPT to test, measure, and improve their cyber attack and defense skills and the team to build trust in each other. In a full-scale, small city in Butlerville, Indiana, called Cybertropolis, the team was challenged to conduct an interactive battle against attackers on the prison systems and, specifically, to detect and counter anti-virus evasion, network enumeration, ransomware, client-side attacks, pivoting, network service exploitation, privilege escalation, attacks against industrial control systems and Windows' domain attacks. According to Maj. Joe Marty, team leader, "Cybertropolis provided our team the most realistic training environment we have encountered. We hope other CPTs get to experience this." [Editor: Congratulations to Ed Skoudis (ed@counterhack.com, NewsBites editor and CounterHack Challenges lead), and Eric Bassel (ebassel@sans.org of SANS) for their ground-breaking support for the U.S. Army CPTs in this important project.]

[Editor Comments]

[Paller] The article below is at a U.S. Army unclassified web site and provides great detail on how the simulation works and fits with CPT development.

Read more in:

154th Cyber Protection Team engaged in network defense at Cybertropolis, Indiana https://www.army.mil/article/183500/154th_cyber_protection_team_engaged_in_network_defense_at_cybertropolis_indiana

Bills in U.S. Congress Would Require FCC to Adopt Stronger Data Security Stance (March 2, 2017)

Democratic members of the U.S. House of Representatives House Energy and Commerce Committee have introduced three bills that would require the Federal Communications Commission (FCC) to take a strong position regarding cybersecurity. The bills would require that the FCC adopt rules protecting communications networks; establish an interagency panel to deal with cybersecurity investigations; and require Internet of Things (IoT) devices to adopt certified cybersecurity standards.

[Editor Comments]

[Pescatore] As the next news item points out, we are unlikely to see the FCC force the ISPs to take more action on security. It would be good to see the telecoms industry take initiative to improve the security of the customers and forestall any future regulation.

Read more in:

The Hill: House Dems push FCC to adopt stringer cybersecurity measures http://thehill.com/policy/technology/322009-house-dems-push-fcc-to-adopt-stronger-cybersecurity-measures

FCC Temporarily Stays Data Security Rule

(March 1 & 2, 2017)

The US Federal Communications Commission (FCC) has voted 2-1 to stay a data security rule that would have required Internet service providers (ISPs) to take "reasonable" measures to protect consumers' personal information. FCC Chairman Ajit Pai and acting Federal Trade Commission (FTC) Chairwoman Maureen Ohlhausen issued a joint statement on which they argued that the FTC and not the FCC should regulate all online data privacy and security.

Read more in:

CNET: FCC puts data security protections on holdx2028https://www.cnet.com/news/fcc-puts-data-security-protections-on-hold-privacy/
Ars Technica: Broadband lobbyists celebrate as FCC halts data security requirements https://arstechnica.com/tech-policy/2017/03/isps-cheer-pause-of-rule-that-guards-private-data-from-security-breaches/
Computerworld: FCC halts data security rules http://computerworld.com/article/3175103/internet/fcc-halts-data-security-rules.html
*************************** SPONSORED LINKS *****************************
1) Stop Ransomware Before It Starts - Download the Ransomware on the Rise eBook Now: http://www.sans.org/info/192512
2) Register for a live webinar to learn "How Network Data Helps Drive Business Success" http://www.sans.org/info/192517
3) Don't Miss: Ransomware Remedies: Decoding and Dealing with Ransomware's Problematic Behaviors. Register: http://www.sans.org/info/192522
******************************************************************************

THE REST OF THE WEEK'S NEWS

Windows 10 Creators Update Will Give Users More Control Over Update Timing (March 1, 2017)

The Windows 10 Creators Update, scheduled for release this spring, will introduce more flexibility for installing updates. Once an update has downloaded, users will be given three choices: install and reboot right away; schedule a time to install within the next three days; or snooze the alert.

Read more in:

ZDNet: Microsoft prepares new update options for Windows 10 http://www.zdnet.com/article/microsoft-prepares-to-roll-out-new-windows-update-controls/
Ars Technica: Windows updates to become more reliable and predictable, with fewer surprise reboots https://arstechnica.com/information-technology/2017/03/windows-updates-to-become-more-reliable-and-predictable-with-fewer-surprise-reboots/

Cisco NetFlow Generation Appliance Vulnerability (March 2, 2017)

A flaw in Cisco's NetFlow Generation Appliance (NGA) could be exploited to induce denial-of-service conditions. The problem lies in the NGA's Stream Control Transmission Protocol (SCTP) decoder; incomplete validation of SCTP packets being monitored by NGA ports means that an attacker could cause the device to hang or reload by sending malformed SCTP packets.

Read more in:

SC Magazine: Vulnerability in Cisco NetFlow Generation Appliances could create DoS condition https://www.scmagazine.com/vulnerability-in-cisco-netflow-generation-appliances-could-create-dos-condition/article/641538/
Cisco Advisory: Cisco NetFlow Generation Appliance Stream Control Transmission Protocol Denial of Service Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170301-nga

House Committee Forwards Bill That Would Give NIST Auditing Authority (March 2, 2017)

The U.S. House Science Committee has passed (19-14) a bill that would place the onus of auditing government agencies' cybersecurity on the shoulders of the National Institute of Standards and Technology (NIST). Those opposing the measure say that auditing is outside of NIST's expertise. The bill calls for NIST to conduct an initial assessment of all agencies' cybersecurity preparedness within six months.

[Editor Comments]

[Pescatore] By design, NIST is not an operations-oriented agency and in the past has not done well when given cybersecurity operational responsibilities.

[Murray] A six-month NIST audit of the security of the entire government will be a futile exercise. They don't have the resources.

Read more in:

NextGov: NIST as Enforcer? House Committee Passes Bill to Expand Agency's Responsibilities http://www.nextgov.com/cybersecurity/2017/03/nist-enforcer-house-committee-passes-bill-expand-agencys-responsibilities/135805/?oref=ng-channeltopstory
House Science Committee: Full Committee Markup - H.R. 1224, the "NIST Cybersecurity Framework Auditing Act of 2017" https://science.house.gov/legislation/markups/full-committee-markup-hr-nist-cybersecurity-framework-assessment-and-auditing

Google Expands Safe Browsing for Chrome on macOS (March 1 & 2, 2017)

Google has expanded its Safe Browsing service for macOS devices. Safe browsing blocks users from visiting websites hosting malware. It also can be used to scan downloaded files and prevent users from executing those identified as malicious. macOS users running Chrome will likely see more warnings.

Read more in:

Google: Expanding protection for Chrome users on macOS https://security.googleblog.com/2017/03/expanding-protection-for-chrome-users.html
Computerworld: Chrome for MacOS to block rogue ad injections and setting changes http://computerworld.com/article/3176564/security/chrome-for-macos-to-block-rogue-ad-injections-and-settings-changes.html
Softpedia: Chrome macOS Users to Benefit from Malware Protection http://news.softpedia.com/news/chrome-macos-users-to-benefit-from-extended-malware-protection-513499.shtml

Malicious iframes in Google Play Apps (March 1 & 2, 2017)

More than 130 Android apps in the Google Play store were found to contain malicious iframes in their HTML code. The iframes link to two domains that were "sinkholed" by Poland's CERT in 2013. The 132 apps came from seven different developers. The problem likely stems from an infected development platform. Read more in:

SC Magazine: 132 Google Play apps found containing malicious iframes https://www.scmagazine.com/132-google-play-apps-found-containing-malicious-iframes/article/641381/
Ars Technica: 132 Google Play apps tried to infect Android users with... Windows malware https://arstechnica.com/security/2017/03/132-google-play-apps-tried-to-infect-android-users-with-windows-malware/
Computerworld: Old Windows malware may have infected 132 Android apps http://computerworld.com/article/3176174/security/old-windows-malware-may-have-infected-132-android-apps.html

New Dridex Variant Employs AtomBombing (March 1 & 2, 2017)

A new variant of the Dridex banking Trojan, Dridex v4, is using the AtomBombing injection technique to evade detection by security software. The Dridex v4 developers also changed the way its encryption is configured and added other enhancements. Dridex v4 is currently being used to target British banks.

[Editor Comments]

[Williams] This is just a stealth technique; it's not an exploit. By the time attackers use this technique, they've already exploited your machine. Endpoint protection software will adapt to detect this stealth technique eventually.

Read more in:

SC Magazine: New Dridex borrows from AtomBombing code injection technique, UK banks already targeted https://www.scmagazine.com/new-dridex-borrows-from-atombombing-code-injection-technique-uk-banks-already-targeted/article/641411/
ZDNet: Dridex Trojan updates with AtomBombing evasion techniques http://www.zdnet.com/article/dridex-trojan-updated-with-atombombing-evasion-techniques/
Computerworld: Dridex: First banking Trojan with AtomBombing to better evade detection http://computerworld.com/article/3175092/security/dridex-first-banking-trojan-with-atombombing-to-better-evade-detection.html
DarkReading: New Version Of Dridex Banking Trojan Uses 'AtomBombing' To Infect Systems http://www.darkreading.com/attacks-breaches/new-version-of-dridex-banking-trojan-uses-atombombing-to-infect-systems/d/d-id/1328299?
SoftPedia: Dridex Banking Trojan Now Uses AtomBombing to Avoid Detection http://news.softpedia.com/news/dridex-banking-trojan-now-uses-atombombing-to-avoid-detection-513456.shtml

NY Financial Cybersecurity Regulations Take Effect (March 1, 2017)

New cybersecurity regulations for financial institutions doing business in the state of New York took effect on Wednesday, March 1. Financial organizations, including banks and insurance companies, must establish and maintain cybersecurity programs. The rules will be phased in over the next two years. Most of the organizations now have 180 days to develop incident response plans and training programs. By March 1, 2018, the companies will also have to have established pen testing, risk assessment, and multifactor authentication practices. Some smaller companies are exempt from certain requirements.

Read more in:

SC Magazine: NY state cybersecurity regulations go into effect today, industry responds https://www.scmagazine.com/ny-state-cybersecurity-regs-go-into-effect-today-industry-responds/article/641375/
Dark Reading: New Cybersecurity Regulations Begin Today For NY Banksx2028http://www.darkreading.com/risk/new-cybersecurity-regulations-begin-today-for-ny-banks/d/d-id/1328295?
NY Dept. of Financial Services: Cybersecurity Requirements for Financial Services Companies (PDF) http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf

Amazon Cloud Storage Suffers Outage (March 1 & 2, 2017)

Amazon's cloud services suffered an outage on Tuesday, February 28. The problem was due to a failure at Amazon S3 cloud storage service data centers in Virginia and was fixed the same day, roughly four hours after it began. The outage affected Internet traffic across the United States. Apps and websites that rely on the Amazon Web Services Internet connected storage were slowed and in some cases disabled. The incident appears to have been caused by a typo. While looking into an issue that was causing the S3 billing system to run slowly, an Amazon team member executed a command intended to take a few S3 servers offline. Instead, the mistyped command caused a larger number of servers to be taken offline, some of which ran systems for the East Coast region. Correcting the problem required a full restart.

[Editor Comments]

[Pescatore ] In the early days of business use of the Internet, when you drew a network diagram you drew a big squiggly cloud labeled "Internet." Back then, we learned the connection to that cloud was a single point of failure for critical business services and, even though the ISP might meet its monthly SLA, we needed redundant Internet connections to handle longer-term outages - good old business continuity. The same is true for cloud services - AWS may very well meet its monthly SLAs but too many of its customers had no continuity plans in place. By the way, even before the Internet as squiggly cloud needed redundancy, we learned that the electricity "cloud" serving the data center needed backup, too - and regular testing of that backup.

[Honan] A good example of why effective business continuity planning in the cloud should look at cross regional support for your application. Just because your application or system runs from a cloud servicer provider does not mean it absolves you from identifying the associated availability risks and looking for ways to address them.

Read more in:

WSJ: Amazon Grapples With Outage at AWS Cloud Service x2028https://www.wsj.com/articles/amazon-grapples-with-outage-at-aws-cloud-service-1488323097
Fortune: Here's Why Amazon's Cloud Suffered a Meltdown This Week http://fortune.com/2017/03/02/amazon-cloud-outage/
USA Today: Amazon mystery solved: A typo took down a big chunk of the Internet http://www.usatoday.com/story/tech/news/2017/03/02/mystery-solved-typo-took-down-big-chunk-web-tuesday/98645754/

WordPress NextGEN Gallery Plugin Vulnerability (March 1, 2017)

A critical flaw in the WordPress NextGEN Gallery plugin could be exploited to steal passwords and secret keys from databases under certain conditions. The NextGEN Gallery plugin has been installed more than one million times. Users are urged to update to version 2.1.79 or newer.

Read more in:

The Register: WordPress photo plugin opens 'a million sites' to SQLi database feasting http://www.theregister.co.uk/2017/03/01/wordpress_nextgen_gallery_sqli/
Ars Technica: Researchers find "severe" flaw in WordPress plugin with 1 million installs https://arstechnica.com/security/2017/02/severe-vulnerability-in-wordpress-plugin-could-affect-1-million-sites/

INTERNET STORM CENTER TECH CORNER

Business E-Mail Compromise and Sender Policy Framework Typos (SPF) https://isc.sans.edu/forums/diary/Phishing+for+Big+Money+Wire+Transfers+is+Still+Alive+and+Well+or+For+Want+of+Good+Punctuation+all+was+Lost/22141/

Android Developers Infected With Malware Publishing Malicious Apps http://researchcenter.paloaltonetworks.com/2017/03/unit42-google-play-apps-infected-malicious-iframes/

DBLTek GoIP Backdoor https://www.trustwave.com/Resources/SpiderLabs-Blog/Undocumented-Backdoor-Account-in-DBLTek-GoIP/

Decrypting Findzip/Patcher Ransomware https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/

LDAP and STARTTLS https://isc.sans.edu/forums/diary/SSLTLS+on+port+389+Say+what/22135/

Wordpress NextGen Gallery Plugin SQL Injection Vulnerability https://blog.sucuri.net/2017/02/sql-injection-vulnerability-nextgen-gallery-wordpress.html

Password Manager Insecurities https://team-sik.org/trent_portfolio/password-manager-apps/

Slack Insecure Cross Window Messaging https://labs.detectify.com/2017/02/28/hacking-slack-using-postmessage-and-websocket-reconnect-to-steal-your-precious-token/

Google Voice Recognition Used to Break Google ReCaptcha Audio Challenge https://east-ee.com/2017/02/28/rebreakcaptcha-breaking-googles-recaptcha-v2-using-google/

Amazon Cloud IPv4 Reuse Leads to Stray Requests https://isc.sans.edu/forums/diary/My+Catch+Of+4+Months+In+The+Amazon+IP+Address+Space/22129

Amazon S3 Outage https://isc.sans.edu/forums/diary/Amazon+S3+Outage/22131/

CloudPets Leaks Recordings https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/

ESET Antivirus Vulnerability Puts Macs at Risk http://seclists.org/fulldisclosure/2017/Feb/68

Analysis of a Simple PHP Backdoor https://isc.sans.edu/forums/diary/Analysis+of+a+Simple+PHP+Backdoor/22127/

---

***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create