SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #25
March 28, 2017TOP OF THE NEWS
FBI Warns of Attacks Targeting Healthcare Industry FTP Servers
IoT Miele Dishwasher Vulnerable to Directory Traversal Attack
THE REST OF THE WEEK'S NEWS
LastPass Working on Fix for Remote Code Execution Vulnerability
DHS Requires First Responder Encrypted Radios to Use AES 256
Police Recommend Prosecuting vDOS Suspects
Microsoft Temporarily Pulls Docs.com Search Feature
Google: Symantec Flubbed Certs
Germany Blocked Attacks from Russian Hacking Group Last Year
Tesco Breach, Lloyds DDoS Prompt Call for Clarification of Lines of Accountability
Senate Bill Would Require Companies to Tell Regulators Whether Board Includes Cyber Expertise
Booz Allen Setting Up Auto-ISAC
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Infocyte ***********************
Threat Hunters from Infocyte and SANS will discuss how to adapt Digital Forensics & Incident Response (DFIR) techniques to scalably and proactively hunt for unknown threats across an entire enterprise network. This approach is called Forensic State Analysis (FSA). Ultimately, FSA arms hunters with an effective and efficient methodology to hunt without relying solely on sophisticated security infrastructure, sensors, or big data. Register: http://www.sans.org/info/193622 ***************************************************************************
TRAINING UPDATE
-- SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017
-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017
-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017
-- SANS Automotive Cybersecurity Summit & Training | Detroit, MI | May 1-8, 2017 | https://www.sans.org/event/automotive-cybersecurity-summit/
-- SANS Security West 2017 | San Diego, CA | May 9-18 | https://www.sans.org/event/sans-security-west-2017
-- SANS San Francisco Summer 2017 | June 5-10 | https://www.sans.org/event/san-francisco-summer-2017
-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | https://www.sans.org/event/security-operations-center-summit-2017
-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | https://www.sans.org/event/secure-europe-2017
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | https://www.sans.org/event/cyber-defence-canberra-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/***************************************************************************
TOP OF THE NEWS
FBI Warns of Attacks Targeting Healthcare Industry FTP Servers (March 27, 2017)
The FBI has issued a private industry warning that attackers are targeting anonymous file transfer protocol (FTP) servers in the healthcare industry. The attackers appear to be seeking protected health information (PHI) and personally identifiable information (PII). The FBI recommends that healthcare organizations check their networks for FTP servers running in anonymous mode, and if they have a reason for operating those servers, to ensure that they do not hold PHI or PII. [Editor Comments] [Pescatore] The FBI warning focuses on the data breach risks of having anonymous FTP services in use on your network. Equally important these days is the risk anonymous FTP raises of attackers inserting illegal or embarrassing content on those servers and then either involving your company in illegal activities or threatening to expose your hosting of the content unless extortion payments are made. Don't leave anonymous FTP servers active just because they are not hosting sensitive info. [Henry] Attacks against the healthcare industry have been on the rise for the past several years. The value of HPI data to criminals and, additionally, the value of this very personal information to nation-states who may use it to build "dossiers" on people they may try to compromise, has increased this information as a target. Add to that the increased "healthcare target space," in terms of more organizations pushing this data to the network, and increased medical IoT devices collecting/storing/transmitting this sensitive information, and you've got a recipe for significant exploitation. Read more in: Dark Reading: FBI: Attackers Targeting Anonymous FTP Servers in Healthcare http://www.darkreading.com/attacks-breaches/fbi-attackers-targeting-anonymous-ftp-servers-in-healthcare/d/d-id/1328496? FBI: Cyber Criminals Targeting FTP Servers to Compromise protected Health Information (PDF) https://info.publicintelligence.net/FBI-PHI-FTP.pdfIoT Miele Dishwasher Vulnerable to Directory Traversal Attack (March 24, 26 & 27, 2017)
A vulnerability in an Internet-connected industrial dishwasher could be exploited through a directory traversal attack to gain access to the networks supporting the machine. The Miele PG 8528 dishwasher is designed to be used in restaurants and bars; it is also used in hospitals. The issue arises from a built-in web server that allows the dishwasher to be remotely operated from a browser. Read more in: CyberScoop: Hackable IoT washing machine provides channel for breaching hospital IT https://www.cyberscoop.com/hackable-iot-washing-machine-provides-channel-breaching-hospital/?category_news=technology The Register: Dishwasher has directory traversal bug http://www.theregister.co.uk/2017/03/26/miele_joins_internetofst_hall_of_shame/ Full Disclosure: Miele Professional PG 8528 - Web Server Directory Traversal http://seclists.org/fulldisclosure/2017/Mar/63 *************************** SPONSORED LINKS ***************************** 1) Thinking about replacing your antivirus? Download this free proof of concept checklist for selecting a next-gen antivirus solution - Download now. http://www.sans.org/info/193627 2) Why is the US NIST Cybersecurity Framework being quickly adopted around the globe? Learn More: http://www.sans.org/info/193637 3) Don't Miss: SOC in the Cloud: A review of Arctic Wolf SOC Services. http://www.sans.org/info/193637 ***************************************************************************THE REST OF THE WEEK'S NEWS
LastPass Working on Fix for Remote Code Execution Vulnerability (March 28, 2017)
Developers for the LastPass password manager are developing a fix for a flaw that affects version 4.1.42 of the LastPass Chrome extension. Google Project Zero's Tavis Ormandy notified LastPass of the issue over the weekend. [Editor Comments] [Honan] LastPass should be commended with how they reacted to the news of the vulnerabilities, they have already released a fix for this issue https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/ Read more in: ZDNet: LastPass acknowledges browser extension vulnerability, working on fix http://www.zdnet.com/article/lastpass-acknowledges-browser-extension-vulnerability-working-on-fix/ The Register: LastPass scrambles to fix another major flaw - once again spotted by Google's bug finders https://www.theregister.co.uk/2017/03/27/lastpass_confirms_major_flaw/DHS Requires First Responder Encrypted Radios to Use AES 256 (March 27, 2017)
The US Department of Homeland Security (DHS) is requiring first responder radio equipment that uses encryption to use the Advanced Encryption Standard (AES) 256. The requirement is part of the Project 25 Compliance Assessment Program Encryption Requirements, an effort to ensure device interoperability across departmental and jurisdictional lines. Read more in: GCN: DHS adds encryption requirements to responder radio equipment https://gcn.com/articles/2017/03/27/p25-encryption.aspx?admgarea=TC_SecCybersSec DHS: P25 CAP Encryption Requirements https://www.dhs.gov/publication/p25-cap-encryption-requirementsPolice Recommend Prosecuting vDOS Suspects (March 27, 2017)
Israeli police are recommending that authorities indict and prosecute two men who allegedly operated vDOS, a distributed denial-of-service (DDoS) attack service. The police are recommending that the pair be charged with computer fraud and extortion. Read more in: KrebsOnSecurity: Alleged vDOS Owners Poised to Stand Trial https://krebsonsecurity.com/2017/03/alleged-vdos-owners-poised-to-stand-trial/Microsoft Temporarily Pulls Docs.com Search Feature (March 26 & 27, 2017)
After learning that users were inadvertently sharing sensitive documents publicly, Microsoft has temporarily shut down the Docs.com search function. Docs.com allows users share documents with other people. Users can designate documents as one of three levels of visibility: Public, Limited, and Organization. The default setting for uploaded documents is Public. [Editor Comments] [Murray] Microsoft owes a great deal of its success to a preference for openness. Society owes a great deal of gratuitous vulnerability to Microsoft's success. It is time for Microsoft to think "safe out of the box. [Williams] Enterprise DLP should have discovered users uploading sensitive data to the site where it was inadvertently shared publicly. This is a great case showing where defense in depth would have covered enterprise users, though home users would still be on their own here. Read more in: Ars Technica: Doxed by Microsoft's Docs.com: Users unwittingly shared sensitive docs publicly https://arstechnica.com/security/2017/03/doxed-by-microsofts-docs-com-users-unwittingly-shared-sensitive-docs-publicly/ ZDNet: Microsoft yanks Docs.com search after complaints of exposed sensitive files http://www.zdnet.com/article/microsoft-yanks-docs-com-search-after-complaints-of-exposed-sensitive-files/ The Register: FYI Docs.com users: You may have leaked passwords, personal info - thousands have http://www.theregister.co.uk/2017/03/27/microsoft_docs_com_office_365_leak/Google: Symantec Flubbed Certs (March 24 - 26, & 27, 2017)
Citing "a continually increasing scope of misissuance," Google says it is distrusting some TLS certificates issued by Symantec. Google maintains that Symantec has failed to properly validate at least 30,000 certificates it issued over the past several years. Symantec says it will reissue SSL certificates that Chrome distrusts. [Editor Comments] [Williams] It is important to understand that this is currently just a proposal and is currently only backed by Chrome (Mozilla and Microsoft are currently silent on the issue). There were only 127 certificates that Google can confirm were fraudulently issued, however there are concerns that the numbers are much higher. The CA trust framework breaks down under these conditions and Google currently is doing the responsible thing under these conditions. They have taken a measured approach in gradually removing trust for Symantec certificates and limiting the maximum lifetime for newly issued certificates from Symantec. Organizations using Symantec certificates should consider whether they will reissue certificates from Symantec or another CA. Organizations should also consider their B2B web use, and consider their risks if it is secured with Symantec certificates. Note that risks are sufficiently higher if B2B data transits an untrusted ISP. An online tool is available to determine if a particular site uses a Symantec certificate and provides details about when it will be untrusted by Chrome. Rendition Infosec Certificate Check Tool: https://www.renditioninfosec.com/socapps/sslcheck/index.php. Read more in: CyberScoop: Symantec says it will reissue digital certs distrusted by Chrome https://www.cyberscoop.com/symantec-chrome-certificate-authority-ev-reissue/?category_news=technology The Register: Google slaps Symantec for sloppy certs, slow show of SNAFUs http://www.theregister.co.uk/2017/03/24/google_slaps_symantec_for_sloppy_certs_slow_show_of_snafus/ Dark Reading: Symantec Seeks to Quell CA Customer Concerns over Google Warning http://www.darkreading.com/endpoint/authentication/symantec-seeks-to-quell-ca-customer-concerns-over-google-warning/d/d-id/1328495? Symantec: A Message To Our CA Customers https://www.symantec.com/connect/blogs/message-our-ca-customers Computerworld: To punish Symantec, Google may distrust a third of the web's SSL certificates http://computerworld.com/article/3184573/security/to-punish-symantec-google-may-distrust-a-third-of-the-webs-ssl-certificates.html eWeek: Google Threatens to Distrust Symantec SSL/TLS Certificates http://www.eweek.com/security/google-threatens-to-distrust-symantec-ssl-tls-certificatesGermany Blocked Attacks from Russian Hacking Group Last Year (March 24, 2017)
A German official said that experts in that country fended off two cyberattacks last year from a group known as APT28, which is believed to be behind attacks that targeted Hillary Clinton's presidential campaign last year. Arne Schoenbohm, president of Germany's federal office for Information Security (BSI), said that one of the attacks tried to create a phony Internet domain for Chancellor Angela Merkel; the other was a phishing attack against German legislators. Read more in: NYT: Germany Blocked Russian Hacking Attacks in 2016 https://www.nytimes.com/reuters/2017/03/24/world/europe/24reuters-germany-elections-russia.htmlTesco Breach, Lloyds DDoS Prompt Call for Clarification of Lines of Accountability (March 23, 2017)
Noting that "The lines of responsibility and accountability for reducing cyber threats still appear to be somewhat opaque," UK MP Andrew Tyrie is calling on the government to appoint a single official to be in charge of managing attacks against financial organizations, and to be accountable to a single minister. The call comes in response to the November 2016 breach at Tesco bank in which thieves stole a total of GBP 2.5 million from 9,000 customer accounts. A January 2017 distributed denial-of-service attack in January 2017 prevented Lloyds Banking group customers from accessing inline accounts for at least two days. Tyrie is chair of the Treasury Select Committee. [Editor Comments] [Honan] The EU Network and Information Security Directive (NIS Directive) https://ec.europa.eu/digital-single-market/en/network-and-information-security-nis-directive is due to come into force in May 2018 which each member state will need to legislate for. This purpose of this directive is to protect digital resources in each member state "which are vital for our economy and society and moreover rely heavily on ICTs, such as energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure". Read more in: Telegraph: MPs warn system for preventing cyber attacks against banks needs to be overhauled in wake of Tesco hack http://www.telegraph.co.uk/business/2017/03/23/mps-warn-system-preventing-cyber-attacks-against-banks-needs/ DigitalLook: Treasury Committee chair calls for bank cybersecurity watchdog http://www.digitallook.com/news/political-news/treasury-committee-chair-calls-for-bank-cybersecurity-watchdog--2586803.html Parliament Publications: Tyrie Letter re: Cyber Security in the Financial Services Sector (December 2016) https://www.publications.parliament.uk/pa/cm201617/cmselect/cmtreasy/correspondence/Treasury-Committee-Chair-to-Ciaran-Martin-07-12-16.pdfSenate Bill Would Require Companies to Tell Regulators Whether Board Includes Cyber Expertise (March 20, 2017)
The Cybersecurity Disclosure Act of 2017, a bill introduced in the US Senate, would require publicly traded companies to disclose to regulators whether they have board members with cybersecurity expertise. While the legislation does not require companies to have a board member with cybersecurity expertise, it does require the companies that do not have such a board member to explain why it is not necessary based on other precautions they have taken. One of the bill's sponsors, Senator Jack Reed (D-Rhode Island) said, "Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight." [Editor Comments] [Williams] This is an interesting proposal, but there are questions about what will constitute "cyber expertise." The proposed bill states that the NIST NICE Cybersecurity Workforce Framework, currently in draft form, will be used to define what constitutes "expertise." If this bill becomes law, the NICE CWF will be increasingly important. Organizations may wish to familiarize themselves with the draft standard now. NICE Cybersecurity Workforce Framework (PDF): http://csrc.nist.gov/publications/drafts/800-181/sp800_181_draft.pdf Read more in: GovInfoSecurity: Bill Would Compel Firms to Say If CyberSec Expert Sits on Board http://www.govinfosecurity.com/bill-would-compel-firms-to-say-if-cybersec-expert-sits-on-board-a-9776Booz Allen Setting Up Auto-ISAC (March 19, 2017)
Booz Allen Hamilton is setting up a system for the Automotive Information Sharing and Analysis Center (Auto-ISAC). The company is reaching out to the suppliers that make parts for connected cars. Companies that join Auto-ISAC have access to threats facing the industry. Read more in: Washington Post: Behind Booz Allen's effort to get carmakers to work together against hackers https://www.washingtonpost.com/business/capitalbusiness/behind-booz-allens-effort-to-get-carmakers-to-work-together-against-hackers/2017/03/19/a4e9a146-0b4f-11e7-b77c-0047d15a24e0_story.htmlINTERNET STORM CENTER TECH CORNER
Google Announces Removal of Symantec CAs for Extended Validation
https://www.symantec.com/connect/blogs/symantec-backs-its-ca? https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/eUAKwjihhBs? https://chromium.googlesource.com/chromium/src/+/master/net/data/ssl/symantec/README.md?Spoofing Referrer in Microsoft Edge
https://www.brokenbrowser.com/referer-spoofing-patch-bypass/?Smart TV Compromise Via Broadcast Signals
https://www.youtube.com/watch?v=bOJ_8QHX6OA?Apple Updates
https://support.apple.com/en-us/HT201222?IIS 6 / Windows Server 2003 Exploit
https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py?Symantec SSL Update
https://www.symantec.com/connect/blogs/message-our-ca-customers?***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create