SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #20
March 10, 2017TOP OF THE NEWS
WikiLeaks Will Offer Tech Companies Access to CIA Hacking Tools
Critical Flaw in Apache Struts 2 (Patch Now!)
Industry Officials to House Committee: Government is Not Sharing Enough Cyber Threat Info
Google's March Android Update Fixes 105 Flaws
THE REST OF THE WEEK'S NEWS
Instagram Phishing Apps Removed from Google Play
Confide Messaging App Vulnerabilities
Mozilla Releases Firefox 52
WordPress Updated to Version 4.7.3
Verifone Investigating Breach
DHS's Breach Notification Best Practices
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Splunk ******************************
It's no longer a question whether an organization will be breached it's a matter of when.
Register for this webinar to hear Splunk and Gartner discuss the strategic role of SIEM as a centralized solution and why organizations need to move from prevention only solutions to detection, response and remediation. http://www.sans.org/info/192682
***************************************************************************
TRAINING UPDATE
-- SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017
-- SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017
-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017
-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/***************************************************************************
TOP OF THE NEWS
WikiLeaks Will Offer Tech Companies Access to CIA Hacking Tools (March 9, 2017)
Julian Assange says that WikiLeaks will offer tech companies access to the technical details of hacking tools in the cache of leaked classified CIA documents so that the companies can address the vulnerabilities the tools exploit. Companies are wary of the offer because of the legal ramifications of accepting stolen classified data.[Editor Comments]
[Williams] White House press secretary Sean Spicer noted "any individual or entity using any piece of still-classified information" should consult with their legal counsel (clearly a veiled threat). Some people with security clearances I've talked to are afraid to even view the data. This attitude is extremely damaging. Many of those with security clearances are performing cyber threat intelligence functions for our nations most secure networks. Attackers can and will learn from the insights in the CIA leaks. To limit our defender's access to the same data through veiled threats is reckless and further harms US national security.
Read more in:
SC Magazine: WikiLeaks promises to leak Vault 7 code archive to tech firms first https://www.scmagazine.com/wikileaks-promises-to-leak-vault-7-code-archive-to-tech-firms-first/article/643046/
ZDNet: WikiLeaks: We will work with tech companies to fix CIA hacking holes http://www.zdnet.com/article/wikileaks-we-will-work-with-tech-companies-to-fix-cia-hacking-holes/
New York Times: WikiLeaks Will Help Tech Companies Fix Security Flaws, Assange Says https://www.nytimes.com/2017/03/09/us/wikileaks-julian-assange-cia-hacking.html
WSJ: Assange: WikiLeaks Will Help Tech Firms Defend Against CIA Hacking https://www.wsj.com/articles/wikileaks-assange-says-group-will-help-tech-firms-defend-against-cia-hacking-1489074870
Critical Flaw in Apache Struts 2 (Patch Now!) (March 9, 2017)
Attackers are actively exploiting a critical code execution flaw in the Apache Struts 2 web application framework to take control of vulnerable webservers. There are at least two working exploits. Developers released a patch for the issue earlier in the week, but not all affected servers have been updated. Organizations that use Apache Struts 2 are urged to upgrade to versions 2.3.32 or 2.5.10.1 as soon as possible.[Editor Comments]
[Ullrich] Patching this flaw should be your top priority right now. We have observed exploit attempts shortly after the flaw became known. Exploitation is trivial and tools to exploit this problem are readily available. Note that Struts2 can be a component of many Java based web applications (JBOSS, HipChat).
https://isc.sans.edu/forums/diary/Critical+Apache+Struts+2+Vulnerability+Patch+Now/22169/
Read more in:
Computerworld: Hackers exploit Apache Struts vulnerability to compromise corporate web servers http://computerworld.com/article/3178689/security/hackers-exploit-apache-struts-vulnerability-to-compromise-corporate-web-servers.html
Ars Technica: Critical vulnerability under "massive" attack imperils high-impact sites [Updated] https://arstechnica.com/security/2017/03/critical-vulnerability-under-massive-attack-imperils-high-impact-sites/
Apache: Possible remote Code Execution when performing file upload based on Jakarta multipart parser https://cwiki.apache.org/confluence/display/WW/S2-045
Industry Officials to House Committee: Government is Not Sharing Enough Cyber Threat Info (March 9, 2017)
Tech industry officials testified before the U.S, House Homeland Security Committee's cybersecurity panel, saying that there is an imbalance in threat information sharing between the private sector and the government. Legislation passed in 2015 grants companies protection from legal liability when they share threat information with the government, but the government has been less forthcoming with threat information that could help protect IT systems in the private sector. Intel Security Vice president Scott Montgomery noted that when the government classifies a cybersecurity event, it "restrict[s] the number of people who can lend assistance and... allow[s] the adversary to operate with impunity." Witnesses said that if information about threats could be stripped of identifiable information and provided to members of private organizations who hold security clearances, companies would be better positioned to take action against similar threats.[Editor Comments]
[Pescatore] his has been the standard complaint about all such government intelligence "sharing" initiatives for over a decade. Many proposals have been put out for how to overcome government worries about exposing sources and methods, but no movement on the govt. side. On the enterprise side, no reason to think this will change any time soon.
[Williams] Over-classification of cyber threat data is a real problem. I've worked incidents where threat data has been shared with federal law enforcement, only to see small portions of that same data shared with a limited distribution community weeks later in "Flash" messages. When we inquired why the most important data we shared with the feds wasn't shared with the broader community, we were told it was classified.
[Northcutt] This is complicated, but also historical. For the last 25 years, the US Government's policy has been, "give us your data and we might share 1% back." If we are talking about a partnership, "that dog don't hunt".
https://www.youtube.com/watch?v=iu6Gmo5dXZU
https://en.wikipedia.org/wiki/Cybersecurity_Information_Sharing_Act
https://www.dhs.gov/topic/cybersecurity-information-sharing
Read more in:
Nextgov: Government Isn't Sharing Cyber Threats as Promised, Private Sector Says http://www.nextgov.com/cybersecurity/2017/03/government-isnt-sharing-cyber-threats-promised-private-sector-says/136035/?oref=ng-channeltopstory
Google's March Android Update Fixes 105 Flaws (March 8, 2017)
Google has issued its monthly Android security update which addresses 105 vulnerabilities, 35 of which are rated critical. Nine of the critical flaws are code execution issues in the mediaserver component. The update also included fixed for 35 vulnerabilities in Qualcomm components.Read more in:
eWeek: Google Patches Android for 105 Vulnerabilities in March Update http://www.eweek.com/security/google-patches-android-for-105-vulnerabilities-in-march-update.html
*************************** SPONSORED LINKS *****************************
1) Thinking about replacing your antivirus? Download this free proof of concept checklist for selecting a next-gen antivirus solution - Download now. http://www.sans.org/info/192687
2) Red Hat can help container users secure their apps and achieve FISMA compliance. Learn More: http://www.sans.org/info/192692
3) A Case Study: Exploring Potential Attack Methods and Sophisticated Security Defenses for the World's Power Plants. Register: http://www.sans.org/info/192712
***************************************************************************
THE REST OF THE WEEK'S NEWS
Instagram Phishing Apps Removed from Google Play (March 9, 2017)
13 apps have been removed from the Google Play store after they were found to contain malware that attempted to steal users' Instagram credentials. The malicious apps billed themselves as tools to help increase the number of Instagram followers. Once the attackers obtain account credentials, the compromised accounts could be used to send spam and advertisements and to like and comment on posts from other accounts.Read more in:
The Register: Instagram phishing apps pulled from Google Play http://www.theregister.co.uk/2017/03/09/instagram_phishing_apps/
SoftPedia: Instagram Users Targeted by Credential Stealers, 1.5M Downloads on Infected Apps http://news.softpedia.com/news/instagram-users-targeted-by-credential-stealers-1-5m-downloads-on-infected-apps-513743.shtml
Confide Messaging App Vulnerabilities (March 8 & 9, 2017)
Two separate teams of researchers have found numerous security issues in the Confide messaging app. Confide, which bills itself as "military-grade" with end-to-end encryption, was found to be vulnerable to man-in-the-middle attacks, allowing attackers to intercept and alter communications. Flaws in the app's account management system could be exploited to gain access to user account records. Researchers also found that Confide's screenshot prevention prevention and message deletion features could be defeated. Confide says the flaws have been fixed.Read more in:
Wired: That Encrypted Chat App the White House Liked? Full of Holes https://www.wired.com/2017/03/confide-security-holes/
ZDNet: Confide, a messaging app used by White House staff to leak, isn't very secure http://www.zdnet.com/article/confide-a-favorite-among-white-house-staffers-isnt-as-secure-as-it-says/
Computerworld: Security holes in Confide messaging app exposed user details http://computerworld.com/article/3178548/security/security-holes-in-confide-messaging-app-exposed-user-details.html
Dark Reading: Researchers Find Multiple Critical Flaws In Confide Secure Messaging App http://www.darkreading.com/vulnerabilities---threats/researchers-find-multiple-critical-flaws-in-confide-secure-messaging-app/d/d-id/1328352?
CyberScoop: Confide, the White House's favorite messaging app, has multiple critical vulnerabilities https://www.cyberscoop.com/confide-app-security-audit-donald-trump-white-house/?category_news=technology
Mozilla Releases Firefox 52 (March 7, 2017)
On March 7, Mozilla released Firefox 52 to fix 28 security issues and add several browser features. Firefox 52 supports the WebAssembly standard. It also disables all plugins that use the Netscape Plugin API (NPAPI) except for Adobe Flash. Mozilla began warning developers and users of the end of NPAPI support in October 2015. Firefox 52 is also the last major version of the browser that will support Windows XP and Vista; future major versions will require Windows 7 or later.Read more in:
Ars Technica: Final Firefox version with Windows XP, plugin support released today https://arstechnica.com/information-technology/2017/03/final-firefox-version-with-windows-xp-plugin-support-released-today/
eWeek: Firefox 52 Brings WebAssembly and Security fixes http://www.eweek.com/security/firefox-52-brings-webassembly-and-security-fixes.html
WordPress Updated to Version 4.7.3 (March 7, 2017)
WordPress has updated its content management system (CSM) to version 4.7.3 to address half a dozen security issues and nearly 40 "bugs." This marks the third WordPress update so far in 2017. Three of the six vulnerabilities fixed could be exploited through cross-site scripting (XSS) attacks.Read more in:
eWeek: WordPress 4.7.3 Updates for Six Security Issues http://www.eweek.com/security/wordpress-4.7.3-updates-for-six-security-issues.html
ThreatPost: WordPress 4.7.3 Patches Half-Dozen Vulnerabilities https://threatpost.com/wordpress-4-7-3-patches-half-dozen-vulnerabilities/124137/
Verifone Investigating Breach (March 7, 2017)
Payment card company Verifone is investigating reports of a breach of its internal networks. The incident appears to have affected several companies that use Verifone's point-of-sale services. (Verifone makes and sells point-of-sale terminals and offers services to support payment card processing.) An internal Verifone memo from January 2017 tells employees to change their passwords within 24 hours and informs them that they will no longer be permitted to install software on company computers.Read more in:
KrebsOnSecurity: Payments Giant Verifone Investigating Breach https://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-breach/
DHS's Breach Notification Best Practices (March 6, 2017)
The US Department of Homeland Security (DHS) is putting the finishing touches on breach notification guidance for agencies, state and local governments, and other organizations. The DHS Data Privacy and Integrity Committee approved a final draft of the best practices document last month. The guidance addresses deciding whether and how to notify affected individuals; the risks of over-notification; and offers suggestions for additional support for those affected by a breach.[Editor Comments]
[Pescatore] The draft has common sense recommendations but there are two areas where DHS really ought to go further for government agencies: (1) provide a simplified, standardized risk scoring method for agencies to use in making the notification decision; an d (2) funding an IDIQ kind of contract for some number of approved "identity theft mitigation services." Both of these are needed so that breached agencies can move much, much more quickly in reducing impact to citizens than we've seen them able to move in the past.
[Neely] The draft memo http://1yxsm73j7aop3quc9y5ifaw3.wpengine.netdna-cdn.com/wp-content/uploads/2017/03/Best-Practices-for-Data-Breach-Notification-1.19.17_FINAL-DRAFT.pdf creates a risk based approach, encapsulating lessons learned from the OPM breach and tries to build on the California and other state data breach notification laws enacted since 2003.
Read more in:
Federal News Radio: DHS finalizing best practices for notifying victims of major cyber breaches http://federalnewsradio.com/cybersecurity/2017/03/dhs-finalizing-best-practices-notifying-victims-major-cyber-breaches/
INTERNET STORM CENTER TECH CORNER
From Shamoon To Stonedrill: Evolution of Wipers Attacking Saudi Organizations
https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdfWordPress Update
https://wordpress.org/news/2017/03/wordpress-4-7-3-security-and-maintenance-release/Reading Secret Keys from SGX Enclaves
https://arxiv.org/abs/1702.08719Security Researches Target Nintendo Switch
https://twitter.com/qlutoohttps://www.youtube.com/watch?v=CwdDN1kA93Q&feature=youtu.be
Dockerscan
https://github.com/cr0hn/dockerscan1 in 5 Websites still rely on SHA-1 Based Certificates
http://www.theregister.co.uk/2017/03/08/sha1_certificate_survey/Not All Malware Samples Are Complex
https://isc.sans.edu/forums/diary/Not+All+Malware+Samples+Are+Complex/22163/Struts Vulnerability Included in Metasploit
https://github.com/rapid7/metasploit-framework/issues/8064https://cwiki.apache.org/confluence/display/WW/S2-045?from=groupmessage
***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
