SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #21
March 14, 2017Thursday March 16, at 1 PM EDT: The rest of the story on the Seven Most Dangerous New Attack Techniques (Skoudis, Ullrich, Assante and Lyne) https://www.rsaconference.com/videos/the-seven-most-dangerous-new-attack-techniques-and-whats-coming-next-continued
TOP OF THE NEWS
Android Supply Chain Infecting Mobiles with Malware Before Delivery
VA Chief Indicates They Will Move to Commercially Available Software
Investigators Looking at CIA Contractors Regarding Information on WikiLeaks
THE REST OF THE WEEK'S NEWS
IT Contractor Server Breach Compromised Welsh NHS Medical Professionals' Data
US Military Data Leak
Canada Revenue Agency, Statistics Canada Systems Were Down Over the Weekend
Prison Sentence for Man Who Stored National Defense Documents in His Home
Schneider Electric Privilege Escalation Vulnerability Patch Available
Dahua Releases Security Update for Many of its IoT Products
IRS's Federal Student Financial Aid Data Retrieval Tool Temporarily Suspended
Home Depot to Settle Breach Case for USD 25M
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Sophos Inc. ******************************
Whitepaper: Exploits Intercepted - Exploits are one of the main techniques used by cybercriminals to spread malware. They take advantage of weaknesses in legitimate software products to infect computers. A single exploit can be used by myriad separate pieces of malware, all with different payloads. Read this paper to learn how to stop exploits. http://www.sans.org/info/192942
***************************************************************************
TRAINING UPDATE
-- SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017
-- SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017
-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017
-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/***************************************************************************
TOP OF THE NEWS
Android Supply Chain Infecting Mobiles with Malware Before Delivery (March 10, 12, & 13, 2017)
Certain Android smartphones are being infected with malware somewhere along the supply chain. The affected brands include Samsung, Xiaomi, Asus, LG, ZTE, and Lenovo. Several types of malware have been found on the devices: data stealers, malicious advertisement displayers, and ransomware.[Editor Comments]
[Williams] A great example of why supply chain security is so important in organizations today. These attacks do not appear to be targeted at the specific organizations where the infected phones were found. Supply chain due diligence includes assessing the security of newly acquired hardware and software on a periodic basis.
[Ullrich] The old "re-image before use" rule that many applied to regular computers should apply to mobile devices as well.
[Murray] This is just one of the risks that enterprise users of open systems, like Android, have to manage. However, it is one that the young, the elderly, and the otherwise naive can only avoid. However much scorn the community likes to heap on Apple for its "walled garden" strategy, it is a welcome, not to say necessary, option.
Read more in:
The Register: Malware infecting Androids somewhere in the supply chain http://www.theregister.co.uk/2017/03/12/malware_infecting_androids_somewhere_in_the_supply_chain/
Ars Technica: Malware found preinstalled on 38 Android phones used by 2 companies https://arstechnica.com/security/2017/03/preinstalled-malware-targets-android-users-of-two-companies/
V3: Samsung, Asus, and Lenovo smartphones come with pre-installed malware, Check Point Software has warned http://www.v3.co.uk/v3-uk/news/3006392/samsung-asus-and-lenovo-smartphones-come-with-pre-installed-malware-check-point-software-has-warned
VA Chief Indicates They Will Move to Commercially Available Software (March 13, 2017)
The Secretary of the US Department of Veterans Affairs told legislators that the agency will look to commercially available software rather than use software developed in-house. Dr. David Shulkin told the US House Veterans Affairs Committee that the agency "should focus on the things veterans need us to focus on and work with companies that know how to do [IT systems] better than we do."[Editor Comments]
[Pescatore] Running unpatched commercial software on poorly managed and poorly secured networks and servers won't be much of a security upgrade over government-developed software - kinda like painting over the water stains without repairing the leak in the roof. Improvements in basic security hygiene is needed on most government systems first.
Read more in:
FCW: VA chief swears off software development https://fcw.com/articles/2017/03/10/shulkin-commerical-it.aspx
Investigators Looking at CIA Contractors Regarding Information on WikiLeaks (March 11, 2017)
Investigators seeking the source of the leaks of CIA hacking tools are looking at several contractors who worked for the agency. Sources say that some contractors working overseas were unhappy when they learned they would not be reassigned to positions in the US. The CIA has yet to confirm the authenticity of the documents released by WikiLeaks.Read more in:
WSJ: Authorities Question CIA Contractors in Connection With WikiLeaks Dump https://www.wsj.com/articles/authorities-questioning-cia-contractors-in-connection-with-wikileaks-dump-1489283964
*************************** SPONSORED LINKS *****************************
1) Why is the US NIST Cybersecurity Framework being quickly adopted around the globe? Learn More: http://www.sans.org/info/192947
2) Learn how to select a SIEM for targeted attack detection that reflect Gartner's recommendations. http://www.sans.org/info/192952
3) Discover the latest global application threat data and actionable intelligence with F5 Labs. http://www.sans.org/info/192957
***************************************************************************
THE REST OF THE WEEK'S NEWS
IT Contractor Server Breach Compromised Welsh NHS Medical Professionals' Data (March 13, 2017)
Attackers breached a server belonging to an NHS IT contractor, exposing personal information of thousands of employees in Wales. The compromised data include names, dates of birth, and National Insurance numbers, as well as the radiation exposure levels of some employees. The contractor, Landauer, processes data for the Welsh NHS.Read more in:
The Register: Thousands of NHS staff details lost in breach of IT contractor's server http://www.theregister.co.uk/2017/03/13/thousands_of_nhs_staff_details_lost_in_breach_of_it_contractors_server/
ZDNet: Hackers steal personal data of thousands of hospital staff http://www.zdnet.com/article/hackers-steal-personal-data-of-thousands-of-hospital-staff/
V3: Thousands of Welsh NHS staff personal data exposed by hackers http://www.v3.co.uk/v3-uk/news/3006394/thousands-of-welsh-nhs-staff-personal-data-exposed-by-hackers
US Military Data Leak (March 13, 2017)
An unsecured backup drive exposed sensitive US Air Force personnel files. The drive was not password protected. The compromised data include names, Social Security numbers (SSNs), as well as a list of open investigations, and at least two completed applications for renewed national security clearances. The data have since been secured.[Editor Comments]
[Williams] In penetration tests, we're seeing more and more unsecured backup systems exposing sensitive information inside the perimeter. Organizations rarely are careless enough to make these backup systems Internet accessible, but in this case, the drive is thought to belong to an Air Force officer and was likely deployed offsite without IT support. Data loss prevention (DLP) software might have restricted the information from being copied offsite without the knowledge of systems administrators and security personnel.
[Northcutt] I can only hope that this event spurs the community to encrypt data at rest:
http://www.zdnet.com/article/encrypting-data-at-rest-is-vital-but-its-just-not-happening/
https://www.datamotion.com/2015/12/best-practices-securing-data-at-rest-in-use-and-in-motion/
https://en.wikipedia.org/wiki/Data_at_rest
Read more in:
ZDNet: US military leak exposes "holy grail" of security clearance files http://www.zdnet.com/article/leaked-us-military-files-exposed/
Softpedia: US Military Security Clearance Files Leak Due to Unsecured Drive http://news.softpedia.com/news/us-military-security-clearance-files-leak-due-to-unsecured-drive-513856.shtml
Canada Revenue Agency, Statistics Canada Systems Were Down Over the Weekend (March 13, 2017)
The Canada Revenue Agency temporarily suspended online filing over the weekend due to security concerns. The service is back online. CRA says that they "took this action as a precaution, not as a result of a successful hack or breach." Statistics Canada's computer system was unavailable between the morning of Friday March 10 and the evening of Sunday March 12 "due to a recent vulnerability impacting specific computer systems worldwide."[Editor Comments]
[Ullrich] The site was taken down to patch it for the Apache Struts2 vulnerability. We are tracking a couple of botnets that are now taking advantage of this vulnerability to compromise web servers. If you haven't patched yet: Assume you are compromised. This vulnerability can be mitigated easily with web application firewall rules in case you cannot patch quickly. This is also a nice example how a simple but effective exploit is often overlooked while our attention is grabbed by more interesting but less applicable exploits from the CIA leak. Your chances are much higher to be compromised by a kid via the Struts2 exploit then by a nation state actor using your TV or iPhone (but of course you will call it a "sophisticated attack" in your post-leak press release no matter how you got compromised).
Read more in:
The Globe and Mail: CRA, Statscan services back online after shutdowns due to hacking vulnerability http://www.theglobeandmail.com/news/national/hacking-threat-prompts-cra-to-take-some-online-services-down/article34275578/
The Register: Canadians can file online tax returns again after emergency outage http://www.theregister.co.uk/2017/03/13/canada_revenue_agency_outage_to_patch_something/
SC Magazine: Canadian tax and labor websites taken offline this weekend https://www.scmagazine.com/canadian-tax-and-labor-websites-taken-offline-this-weekend/article/643629/
Canada Revenue Agency: Notice - Update: Online services restored http://www.cra-arc.gc.ca/menu-eng.html
Prison Sentence for Man Who Stored National Defense Documents in His Home (March 10 & 11, 2017)
A former US National Geospatial-Intelligence Agency has been sentenced to 12 months in prison for storing classified national defense data at his home. Mohan Nirala, who worked for the agency from 2009 until 2015, pleaded guilty in September, 2016 to one felony count of willful retention of national defense information under the Espionage Act.Read more in:
The Register: Spy satellite scientist sent down for a year for stowing secrets at home http://www.theregister.co.uk/2017/03/11/spy_sat_scientist_jailed/
US Dept. of Justice: Former NGA Employee Sentenced for Taking Classified Information https://www.justice.gov/opa/pr/former-nga-employee-sentenced-taking-classified-information
Schneider Electric Privilege Escalation Vulnerability Patch Available (March 10, 2017)
Schneider Electric has developed a patch for a remotely exploitable privilege escalation flaw in Tableau Server/Desktop data analysis and visualization software versions 7.0 through 10.1.3 that is deployed within Schneider Wonderware Intelligence 2014R3 and earlier. The US Department of Homeland Security's ICS-CERT has issued an advisory. Users are urged to upgrade to the most current versions of the software.[Editor Comments]
[Paller, Murray] We wonder what proportion of vulnerable Schneider systems will have been patched in a week, a month, a year, never?
Read more in:
ThreatPost: Privilege Escalation Flaw Patched in Schneider Wonderware https://threatpost.com/privilege-escalation-flaw-patched-in-schneider-wonderware/124217/
ICS-CERT: Advisory: Schneider Electric Wonderware Intelligence https://ics-cert.us-cert.gov/advisories/ICSA-17-066-01
Dahua Releases Security Update for Many of its IoT Products (March 10, 2017)
Dahua, which makes Security cameras and digital video recorders (DVRs), has released firmware updates to fix a vulnerability that affects many of its products. The flaw is trivial to exploit and could allow attackers to take control of vulnerable systems.Read more in:
KrebsOnSecurity: Dahua, Hikvision IoT Devices Under Siege https://krebsonsecurity.com/2017/03/dahua-hikvision-iot-devices-under-siege/
Dahua: Security Bulletin: Cyber Vulnerability Affecting Certain IP Cameras and Recorders http://us.dahuasecurity.com/en/us/Security-Bulletin_030617.php
IRS's Federal Student Financial Aid Data Retrieval Tool Temporarily Suspended (March 9 & 10, 2017)
The US Internal Revenue Service (IRS) has temporarily disabled an auto-fill tool to help applicants for federal student aid populate their loan applications. The data retrieval feature of the Free Application for Federal Student Sid (FAFSA) was suspended to prevent identity theft. The IRS expects the tool to be unavailable for several weeks.Read more in:
US Dept. of Education: Internal Revenue Service (IRS) and U.S. Department of Education Office of Federal Student Aid (FSA) Statement about the IRS Data Retrieval Tool https://www.ed.gov/news/press-releases/internal-revenue-service-irs-and-us-department-education-office-federal-student-aid-fsa-statement-about-irs-data-retrieval-tool-drt
Nextgov: IRS Took Down FAFSA Autofill Tool to Prevent Identity Theft http://www.nextgov.com/cybersecurity/2017/03/irs-took-down-fafsa-autofill-tool-prevent-identity-theft/136083/?oref=ng-channelriver
Home Depot to Settle Breach Case for USD 25M (March 9 & 10, 2017)
Big box home improvement store Home Depot has agreed to pay USD 25 million in damages to banks to settle a case over a 2014 data security breach. More than 50 million customers were affected by the incident. The terms of the settlement also call for Home Depot to improve its cybersecurity practices and to more carefully vet its IT vendors. A breach at a third-party payment processor allowed the attackers access to payment card terminals at Home Depot self-checkout lanes. Home Depot has already paid more than US 130 million to Visa, MasterCard and other banks.Read more in:
SC Magazine: Home Depot to pay $25M in breach settlement https://www.scmagazine.com/home-depot-to-pay-25m-in-breach-settlement/article/643491/
Fortune: Home Depot to Pay Banks $25 Million in Data Breach Settlement http://fortune.com/2017/03/09/home-depot-data-breach-banks/
INTERNET STORM CENTER TECH CORNER
Issues with Out Of Date Geo Location Databases
https://isc.sans.edu/forums/diary/The+Side+Effect+of+GeoIP+Filters/22173/Recovering Mobile Device PINs via Thermal Images
http://www.mkhamis.com/data/papers/abdelrahman2017chi.pdfUnmasking Randomized MAC Addresses
https://arxiv.org/abs/1703.02874v1Mobile Phone Supply Chain Attacks
http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/Creating SHA3 Hashes with sigs.py
https://isc.sans.edu/forums/diary/New+tool+sigspy/22181/Canada Revenue Agency Website Attacked / Down over Struts2
http://www.cbc.ca/news/politics/cra-internet-vulnerability-government-1.4022591Webkit Exploit Adopted to Nintendo Switch
https://www.youtube.com/watch?v=xkdPjbaLngEAnalysis of Outdated JavaScript Libraries on the Web
http://www.ccs.neu.edu/home/arshad/publications/ndss2017jslibs.pdfGithub Enterprise SAML Authentication Bypass
http://www.economyofmechanism.com/github-saml***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create