SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #22
March 17, 2017SANS would like to hear your thoughts on the most important trends impacting cybersecurity programs over the next three years. See the list here (https://survey.sans.org/jfe/form/SV_bww0OZd0jF8xdxX). Tell us whether you agree and what is missing.
TOP OF THE NEWS
Rob Joyce to be Named White House Cybersecurity Coordinator
Just 11 Percent of Cybersecurity Jobs Held by Women
RAND Zero-Day Vulnerability Study
THE REST OF THE WEEK'S NEWS
Fixes Available for Linux Kernel Flaw
Apache Struts Attacks
Critical SAP Flaw in GUI Client
Four Charged in Yahoo Breach
WhatsApp and Telegram Fix Flaws that Could Be Exploited to Take Over Accounts
Adobe Releases Updates for Flash and Shockwave
Second Person Charged in Connection with Citadel Malware
Microsoft's March Patch Tuesday Incorporates February's Fixes, Postpones Move to Database
SXSW: Congressman Proposes National Guard for Cybersecurity
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Carbon Black **********************
Thinking about replacing your antivirus? Download this free proof of concept checklist for selecting a next-gen antivirus solution - Download now: http://www.sans.org/info/193387 ***************************************************************************
TRAINING UPDATE
-- SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017
-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017
-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/***************************************************************************
TOP OF THE NEWS
Rob Joyce to be Named White House Cybersecurity Coordinator (March 13 & 15, 2017)
The White House will appoint Rob Joyce, currently chief of the NSA's Tailored Access Operations, to manage federal cybersecurity policy. In his capacity as White House cyber security coordinator, Joyce will sit on the National Security Council.[Editor Comments]
[Paller] Rob has been one of the leaders at NSA in sharing knowledge. A flash notice in Newsbites 9 months ago points to a prime example: "Amazing! The leader of most skilled people at NSA who carry out nation-state attacks (Rob Joyce of TAO) shared the techniques his team would use to stop nation-state attackers like themselves, in a briefing that was recorded and is a 35-minute YouTube video at https://www.youtube.com/watch?v=bDJb8WOJYdA. This is the most authoritative talk on offense informing defense I have very seen." He starts that talk saying 'I am going to show you what you can do to stop nation-state hackers like me.'
Read more in:
The Hill: White House to bring on NSA hacker to NSC http://thehill.com/policy/cybersecurity/324086-white-house-to-bring-on-nsa-hacker
Nextgov: Trump Cyber Czar Brings Deep Expertise But Maybe Some Baggage, Too http://www.nextgov.com/cybersecurity/2017/03/trump-cyber-czar-brings-deep-expertise-maybe-some-baggage-too/136127/?oref=ng-channelriver
FCW: NSA vet Joyce to lead cyber at White House https://fcw.com/articles/2017/03/15/joyce-white-house-cyber.aspx
Keynote, BSides Augusta 2016: Robert Joyce http://www.irongeek.com/i.php?page=videos/bsidesaugusta2016/keynote-robert-joyce
Just 11 Percent of Cybersecurity Jobs Held by Women (March 15 & 16, 2017)
According to the 2017 Global Information Security Workforce Study, just 11 percent of cybersecurity jobs are held by women. North America has the highest percentage of women in the cybersecurity workforce at just 14 percent. The report found that women earned less than their male counterparts.Read more in:
FCW: More work needed to get women in cyber jobs https://fcw.com/articles/2017/03/15/cyber-women.aspx
CyberScoop: Women paid less than men at every level of cybersecurity industry, report says https://www.cyberscoop.com/women-in-cybersecurity-wage-gap-report/?category_news=technology
Dark Reading: Women Still Only 11% of Global InfoSec Workforce http://www.darkreading.com/careers-and-people/women-still-only-11--of-global-infosec-workforce/d/d-id/1328409?
IAmCyberSafe: Global Information Security Workforce Study http://iamcybersafe.org/research/
Related:
CyberScoop: CyberScoop's 2017 Top Women in Cybersecurity https://www.cyberscoop.com/2017-top-women-in-cybersecurity/
RAND Zero-Day Vulnerability Study (March 9, 2017)
A zero-day vulnerability study from the RAND Corporation found that zero-day exploits and their associated flaws have an average lifespan of 6.9 years; there were no characteristics of vulnerabilities that determined their life-span; and "for a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been publicly discovered and disclosed by another entity."[Editor Comments]
[Pescatore] The report is aimed at policy makers considering the "Should the government tell private industry about zero day vulnerabilities it discovers?" and is based on looking at 207 zero day vulnerabilities that were discovered by white hat researchers between 2002-2016. From this data, the risk of the government staying quiet is numerically low - 94.3% of time no other good guys found the zero day vulnerability. But, they point out they don't have data on how many the bad guys found, and I think we have learned that the US certainly does *not* have a monopoly on skilled white hats or black hats - the real world percentage of zero days known by adversaries is surely higher. This is a tough national policy problem but an easy security problem - vulnerabilities that are disclosed faster get fixed faster. Of course, software that is built better starts out fixed...
Read more in:
RAND: Zero Days, Thousands of Nights http://www.rand.org/pubs/research_reports/RR1751.html
CyberScoop: Zero day study: Hoarding exploits less harmful than generally thought https://www.cyberscoop.com/study-hoarded-zero-days-last-seven-years-and-are-rarely-discovered/
*************************** SPONSORED LINKS *****************************
1) Protect Your Users Everywhere and Proactively Fight Against Cyberattacks. Try a FREE Product Eval Today! http://www.sans.org/info/193392
2) Join Cybereason's Brad Mecha, and Dave Shackelford, SANS Analyst, to learn how to elevate your current threat hunting program. Register: http://www.sans.org/info/193397
3) Don't Miss: MobileIron Security Labs: Combatting the Current State of Mobile Enterprise Security. Register: http://www.sans.org/info/193412
***************************************************************************
THE REST OF THE WEEK'S NEWS
Fixes Available for Linux Kernel Flaw (March 16, 2017)
Fixes are available for a vulnerability in the Linux kernel that has been present for seven years. The race condition in the n_hdlc driver could be exploited to gain elevated privileges. Users should install available updates or block the affected module manually.Read more in:
The Register: Dormant Linux kernel vulnerability finally slayed http://www.theregister.co.uk/2017/03/16/linux_kernel_vuln/
Apache Struts Attacks (March 16, 2017)
A vulnerability in Apache Struts is being actively exploited. The issue lies in the Apache Struts Jakarta Multipart parser. The flaw can be exploited to execute code by using a specially-crafted Content-Type http header. Users are urged to upgrade to Apache Struts version 2.3.32 or version 2.5.10.1.Read more in:
SC Magazine UK: Apache Struts vulnerability being exploited by attackers https://www.scmagazineuk.com/apache-struts-vulnerability-being-exploited-by-attackers/article/644531/
Apache: Apache Struts 2 Documentation https://cwiki.apache.org/confluence/display/WW/S2-045
Critical SAP Flaw in GUI Client (March 15 & 16, 2017)
SAP's monthly security update for March includes fixes for a number of flaws in the SAP HANA database system. The batch of fixes also addresses a vulnerability in the SAP GUI client that affects millions of users.Read more in:
eWeek: SAP Patches Multiple HANA Vulnerabilities in March Update http://www.eweek.com/security/sap-patches-multiple-hana-vulnerabilities-in-march-update
Dark Reading: ERP Attack Risks Come into Focus http://www.darkreading.com/application-security/database-security/erp-attack-risks-come-into-focus/d/d-id/1328418?
V3: Warning over critical SAP vulnerability affecting millions of client PCs worldwide http://www.v3.co.uk/v3-uk/news/3006565/warning-over-critical-vulnerability-in-sap-on-millions-of-client-computers-worldwide
The Register: SAP pushes 25 patches and two patch patches https://www.theregister.co.uk/2017/03/15/sap_monthly_patches/
Four Charged in Yahoo Breach (March 15, 2017)
The US Department of Justice (DoJ) has announced the indictment of four people in connection with a massive breach that compromised 500 million Yahoo accounts. Two of the suspects, Dmitry Dokuchaev and Igor Sushchin, are officers in Russia's Federal Security Service (FSB). The other two suspects, Alexsey Belan and Karim Baratov, are cybercriminals who allegedly worked with Russian intelligence. Charges against the four include conspiracy, computer fraud and abuse, economic espionage, and aggravated identity theft.[Editor Comments]
[Northcutt] There are two stories in this stack. One is clearly the Russian FSB officers and their minions. However the US and Russia do not have an extradition agreement. The second story which I find more interesting is the use of forged cookies to access accounts. A large number of websites use cookies to allow users to access their sites without logging in every time. Even if you do not accept cookies with your browser, an attacker who can deduce the structure of the cookie and collect enough information to fill in the fields, will have a fair chance of accessing your account. So be patient with web sites that require two-factor authentication such as a code sent to your mobile phone. They have your best interest at heart. The WSJ cookie article appears to be pay-walled so I have found an alternative.
https://www.engadget.com/2017/03/01/yahoo-hackers-accessed-32-million-accounts-with-forged-cookies/
http://www.wsfa.com/story/22665099/countries-with-no-extradition-treaty-with-us
Read more in:
DoJ: U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and-millions
CSMonitor: US charges Russian spies, hackers with massive Yahoo breach http://www.csmonitor.com/Technology/2017/0315/US-charges-Russian-spies-hackers-with-massive-Yahoo-breach
WSJ: How Hackers Turned Yahoo's Own System Against Its Users https://www.wsj.com/articles/authorities-lay-out-yahoo-hack-spree-1489620525
NYT: Indictment Details Collusion Between Cyberthief and 2 Russian Spies https://www.nytimes.com/2017/03/15/us/politics/indictment-collusion-cyberthief-russian-spies-yahoo.html
Ars Technica: US charges two Russian agents with ordering hack of 500m Yahoo accounts https://arstechnica.com/tech-policy/2017/03/us-charges-two-fsb-officers-two-criminal-hackers-in-yahoo-breach/
DarkReading: DoJ Indicts Russian FSB Officers and Cybercriminals in Yahoo Breach http://www.darkreading.com/endpoint/doj-indicts-russian-fsb-officers-and-cybercriminals-in-yahoo-breach/d/d-id/1328412?
WhatsApp and Telegram Fix Flaws that Could Be Exploited to Take Over Accounts (March 15, 2017)
WhatsApp and Telegram have patched the web-based versions of their encrypted communications services to fix a vulnerability that could have put accounts at risk of being hijacked. Check Point Software, which detected the flaw, notified both companies on March 7; both companies have fixed the problem.Read more in:
ZDNet: Flaw in web versions of WhatsApp, telegram put accounts at risk http://www.zdnet.com/article/attackers-can-hijack-millions-of-whatsapp-telegram-accounts-in-seconds/
Computerworld: Malicious uploads allowed hijacking of WhatsApp and telegram accounts http://computerworld.com/article/3180979/security/malicious-uploads-allowed-hijacking-of-whatsapp-and-telegram-accounts.html
CNET: WhatsApp, Telegram flaws left accounts vulnerable to hackers https://www.cnet.com/news/whatsapp-telegram-flaws-left-accounts-vulnerable-to-hackers/
Softpedia: WhatsApp & Telegram Fix Critical Flaws in Web Platforms Allowing Account Hijack http://news.softpedia.com/news/whatsapp-telegram-fix-critical-flaws-in-web-platforms-allowing-account-hijack-513949.shtml
Wired: WhatsApp Hack Shows That Even Encryption Apps are Vulnerable in a Browser https://www.wired.com/2017/03/whatsapp-hack-shows-even-encryption-apps-vulnerable-browser/
Check Point: Check Point Discloses Vulnerability That Allowed Hackers to Take over Hundreds of Millions of WhatsApp & Telegram Accounts http://blog.checkpoint.com/2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/
Adobe Releases Updates for Flash and Shockwave (March 14 & 15, 2017)
Adobe has released updates for Flash Player and Shockwave Player. The Flash updates fix seven vulnerabilities, six of which are considered critical. Users running Flash on Windows, Mac, Linux, and Chrome operating systems are urged to upgrade to version 25.0.0.127. The Shockwave update fixes one vulnerability that could be exploited to gain elevated privileges.[Editor Comments]
[Neely] Here is another reminder to reconsider your use of Flash. Many organizations replace flash with HTML 5 but leaving Flash behind means some content, often training material, is not available to users. This has to be factored into the decision to restrict its use. If you must use Flash, you must also commit to patching it as the cycle of patch upon patch is not going to let up anytime soon, and you'll need to have sufficient defense mechanisms at the endpoint to protect against exploitation.
Read more in:
ZDNet: Adobe fixes critical code execution bugs in Flash http://www.zdnet.com/article/adobe-fixes-six-remote-code-execution-bugs-in-flash/
KrebsOnSecurity: Adobe, Microsoft Push Critical Security Fixes https://krebsonsecurity.com/2017/03/adobe-microsoft-push-critical-security-fixes-10/
Softpedia: Adobe Fixed Critical Vulnerabilities in Flash and Shockwave http://news.softpedia.com/news/adobe-fixed-critical-vulnerabilities-in-flash-and-shockwave-513948.shtml
Adobe: Security updates available for Adobe Flash Player https://helpx.adobe.com/security/products/flash-player/apsb17-07.html
Adobe: Security update available for Adobe Shockwave Player https://helpx.adobe.com/security/products/shockwave/apsb17-08.html
Second Person Charged in Connection with Citadel Malware (March 14 & 15, 2017)
The US Department of Justice (DoJ) has charged Mark Vartanyan with computer fraud for allegedly developing, improving and maintaining malware known as Citadel. Vartanyan was extradited to the US from Norway in December 2016. Citadel is used to steal information, including financial account access credentials. The malware is estimated to have infected 11 million computers and is responsible for losses of more than USD 500 million. Vartanyan is the second person to be charged in connection with Citadel. In December 2015, Dimitry Belorossov was sentenced to four-and-a-half years in prison for operating a Citadel botnet.Read more in:
Dark Reading: Russian Hacker Charged in 'Citadel' Malware Attacks http://www.darkreading.com/russian-hacker-charged-in-citadel-malware-attacks/d/d-id/1328404?
DoJ: Russian Hacker "Kolypto" Extradited from Norway https://www.justice.gov/usao-ndga/pr/russian-hacker-kolypto-extradited-norway
Reuters: Russian sentenced to four-and-a-half years in U.S. prison for 'Citadel' malware (2015) http://www.reuters.com/article/us-usa-cybersecurity-citadel-idUSKCN0RT2H320150929
Microsoft's March Patch Tuesday Incorporates February's Fixes, Postpones Move to Database (March 14, 2017)
March's Patch Tuesday comprises 18 security bulletins fixing at least 135 vulnerabilities. In addition to the large patch release due to February's patched being delayed, Microsoft has put off retiring the bulletin model that was supposed to end in January. February's update was going to be the debut of Microsoft's searchable support document database, but the March update, which incorporates fixes that presumable had been scheduled for release last month, returns to the bulletin model.Read more in:
ZDNet: Microsoft finally fixes 'critical' Windows security flaw after patch delay http://www.zdnet.com/article/microsoft-finally-gets-back-on-patch-tuesday-schedule-after-earlier-glitch/
Computerworld: Microsoft fixes record number of flaws, some publicly known http://computerworld.com/article/3181314/security/microsoft-fixes-record-number-of-flaws-some-publicly-known.html
TechNet: Microsoft Security Bulletin Summary for March 2017 https://technet.microsoft.com/en-us/library/security/MS17-MAR
Computerworld: Microsoft stays security bulletins' termination http://computerworld.com/article/3180855/security/microsoft-stays-security-bulletins-termination.html
SXSW: Congressman Proposes National Guard for Cybersecurity (March 12 & 14, 2017)
Speaking at the SXSW (South by Southwest) conference last week, US congressman Ruben Gallego said that establishing cybersecurity reserve could help the government protect the country from digital threats and bolster the country's security. The military has established career paths that focus on cybersecurity, but many people with cybersecurity skills may not be interested in joining the military. "We could definitely use their knowledge in service to our country," said Gallego, adding that "we need to find a way to bring in your cyber warrior to come in and work for the NSA, or Department of Defense for a couple weeks per year."[Editor Comments]
[Neely] This is an attractive idea. It is challenging to get cyber defenders to join the military, so a reserve model of a couple of weeks a year would sweeten the pot, and possibly mitigate the risks of them getting lured away by the private sector.
Read more in:
CNN: Congressman: We need a National Guard for cybersecurity http://money.cnn.com/2017/03/12/technology/national-guard-tech-cybersecurity-sxsw/
Military Times: Congressman proposes creating a National Guard for cybersecurity http://www.militarytimes.com/articles/congressman-wants-to-create-a-national-guard-for-cybersecurity
INTERNET STORM CENTER TECH CORNER
Microsoft's Double Patch Tuesday
https://isc.sans.edu/forums/diary/February+and+March+Microsoft+Patch+Tuesday/22185/Twitter App "Twitter Counter" Compromise Leads to Unauthorized Tweets from a Large Number of Accounts
https://twitter.com/thecounterTelegram and WhatsApp Image Vulnerability
http://blog.checkpoint.com/2017/03/15/check-point-discloses-vulnerability-whatsapp-telegram/RSA Panel Webcast
https://cc.readytalk.com/registration/#/?meeting=6oowksc223hm&campaign=ijmt1z8qsc1qCertain Ubiquity Equipment Vulnerable to CSRF/Code Execution
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170316-0_Ubiquiti_Networks_authenticated_command_injection_v10.txtProton Mac OS RAT
https://www.cybersixgill.com/proton-a-new-mac-os-rat/Linux Kernel n_hdlc Privilege Escalation
http://seclists.org/oss-sec/2017/q1/569VMWare Copy/Paste Exploit Fixed
https://www.vmware.com/security/advisories/VMSA-2017-0005.html***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create