SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #26
March 31, 2017TOP OF THE NEWS
Insurance Company Files Lawsuit, Says General Liability Policy Does Not Cover Data Breach
US Legislators Vote to Undo FCC's ISP Privacy Laws
CyberFirst Girls Challenge Draws 8,000 Entrants
THE REST OF THE WEEK'S NEWS
Information Sharing is Not Enough
WikiLeaks CIA Tools Dump Underscores US Government's Focus on Offensive Cyber Spending
VMware Releases Security Updates
Dimnie Malware Now Being Used to Target Github Users
Microsoft Unlikely to Patch IIS 6.0 Vulnerability
IBM X-Force Threat Intelligence Index Report
To VPN or Not to VPN
Splinter: Protecting the Privacy of Public Database Queries
Guilty Plea on Ebury Botnet Case
Apple Updates for macOS, iOS, and Safari
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By AGARI ***************************
BEC "Wake-up Call": 2 Companies Lose $100M to Email Scam.
The FBI just arrested a Lithuanian man for stealing $100M from two U.S. companies by impersonating their Asian computer hardware supplier. This sophisticated email attack easily evaded Secure Email Gateways. Learn the techniques used in the attack, cyber kill chain, & how to avoid becoming the next $100M victim. http://www.sans.org/info/193862
***************************************************************************
TRAINING UPDATE
-- SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017
-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017
-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017
-- SANS Automotive Cybersecurity Summit & Training | Detroit, MI | May 1-8, 2017 | https://www.sans.org/event/automotive-cybersecurity-summit/
-- SANS Security West 2017 | San Diego, CA | May 9-18 | https://www.sans.org/event/sans-security-west-2017
-- SANS San Francisco Summer 2017 | June 5-10 | https://www.sans.org/event/san-francisco-summer-2017
-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | https://www.sans.org/event/security-operations-center-summit-2017
-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | https://www.sans.org/event/secure-europe-2017
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | https://www.sans.org/event/cyber-defence-canberra-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/***************************************************************************
TOP OF THE NEWS
Insurance Company Files Lawsuit, Says General Liability Policy Does Not Cover Data Breach (March 30, 2017)
St. Paul Fire & Marine Insurance has filed a lawsuit against Rosen Millennium Technology Group, a sister company to Rosen Hotels & Resorts, seeking a judge's confirmation that the insurance company is not responsible for paying costs related to a data breach of the hotel's point-of-sale system. Rosen was fined USD 2.4 million by payment card companies and others regarding the breach. Rosen filed for reimbursement of the expense under its general liability policy. St. Paul maintains that the data breach and its financial consequences are not covered by the general liability policy.[Editor Comments]
[Pescatore] It seems that most general liability policies do not cover cyber incident costs. Unfortunately, it also seems that many cybersecurity-insurance-specific policies don't cover a lot of cyber incident costs and if they do, they merely reduce the cost by a fixed amount - they do not cap liability, let alone transfer it.
[Williams] It seems like every breach we work, organizations are surprised at what is and isn't covered by their general liability and cyber security policies. In this heartbreaking case, Rosen apparently believes it is covered for something it is clearly not. Worse yet, they are expending time and resources fighting a losing battle to get money from their insurance company while those same resources could be used to better secure assets.
Read more in:
SC Magazine: Insurer sues Rosen Hotels over data breach payments https://www.scmagazine.com/insurer-sues-rosen-hotels-over-data-breach-payments/article/647559/
Orlando Sentinel: American Express, Mastercard, Visa Fine Rosen Hotels in data breach, lawsuit says http://www.orlandosentinel.com/business/brinkmann-on-business/os-rosen-hotels-data-breach-20170329-story.html
SC Mag: Complaint: St Paul Fire & Marine Insurance Company v. Rosen Millennium, Inc. https://media.scmagazine.com/documents/291/st_paul_fire___marine_72749.pdf
US Legislators Vote to Undo FCC's ISP Privacy Laws (March 29, 2017)
The US House of Representatives has voted to undo the Federal Communications Commission's (FCC's) broadband privacy rules, allowing Internet service providers (ISPs) to sell customers' data, including browsing history, without obtaining their consent. This include browsing history. The Senate approved the change earlier this month.Read more in:
SC Magazine: House votes to repeal FCC privacy laws for ISPs https://www.scmagazine.com/house-votes-to-repeal-fcc-privacy-laws-for-isps/article/647076/
CyberFirst Girls Challenge Draws 8,000 Entrants (March 28, 29 & 30, 2017)
The UK's National Cyber Security Centre's CyberFirst Girls competition drew more than 8,000 participants. More than 2,000 teams of three or four girls took part in online competitions over the course of several weeks. The field was winnowed to 10 teams comprising 37 students who were invited to a day-long final competition in London on March 27. The girls-only competition was created to raise awareness about cybersecurity as a potential career path for women.Read more in:
SC Magazine UK: Girls crack code in CyberFirst challenge and impress judges https://www.scmagazineuk.com/girls-crack-code-in-cyberfirst-challenge-and-impress-judges/article/647255/
NCSC: Girls impress judges in national final of cyber security contest https://www.ncsc.gov.uk/news/girls-impress-judges-national-final-cyber-security-contest
GCHQ: CyberFirst Girls Competition finds worthy winner https://www.gchq.gov.uk/news-article/cyberfirst-girls-competition-finds-worthy-winner
Oxford Times: Talented schoolgirls compete to stop online hackers http://www.oxfordtimes.co.uk/news/15188954.Talented_schoolgirls_compete_to_stop_online_hackers/
*************************** SPONSORED LINKS *****************************
1) Don't Miss: "How to Achieve Visibility, Security and Integrity for Forward Looking Resilience" Register: http://www.sans.org/info/193867
2) "Increasing Software Security Up and Down the Supply Chain" with John Pescatore. Learn More: http://www.sans.org/info/193872
3) Take the SANS 2017 Survey on Insider Threats and register for a chance to win a $400 Amazon gift card: http://www.sans.org/info/193877
***************************************************************************
THE REST OF THE WEEK'S NEWS
Information Sharing is Not Enough (March 30, 2017)
Speaking at the Billington International Cybersecurity Summit at the National Press Club in Washington, DC earlier this week, an NSA official said that there needs to be a shared public-private framework not only to share threat information but to orchestrate response. Neal Ziring, technical director for the NSA's Capabilities Directorate, said "Information sharing by itself is not enough. We need to start establishing the infrastructures, the standards, the practices, for shared response."Read more in:
CyberScoop: NSA technical director: Sharing hacker information isn't enough, we need a shared response https://www.cyberscoop.com/nsa-technical-director-sharing-hacker-information-isnt-enough-need-shared-response/
WikiLeaks CIA Tools Dump Underscores US Government's Focus on Offensive Cyber Spending (March 30, 2017)
WikiLeaks recent dump of CIA hacking tools prompted Cisco Systems to reassign staff to turn their attention to figuring out what flaws in the company's switches the tools exploited. The fact that it took the leak of this information to alert a major US technology company to security issues in its products highlights concerns about the way the US government approaches cybersecurity. The government's cyber program spending focuses heavily on offensive rather than defensive measures.[Editor Comments]
[Pescatore] Science fiction writer Gene Wolfe has the best relevant quote: "The best offense is a good defense, but a bad defense is offensive." Offense informing defense is important - National policy that tries to make the same organization responsible for both offense and defense invariably shortchanges defense.
[Williams] Far be it from me to tell anyone how to spend their budget, but I will point out that while Stuxnet (an offensive cyber operation largely believed to be the US) was going on, so were Snowden, Manning, and probably Martin (all insiders). The OPM hacks (and surely countless others that the US Government will keep classified) were also ongoing. A quick look around shows that defensive cyber research is sorely needed, even if we restrict the scope to protecting USG interests.
Read more in:
Reuters: A scramble at Cisco exposes uncomfortable truths about U.S. cyber defense http://www.reuters.com/article/us-usa-cyber-defense-idUSKBN17013U
VMware Releases Security Updates (March 30, 2017)
VMware has released patches for four vulnerabilities demonstrated during the Pwn2Own contest. The flaws affect VMware ESXi, VMware Workstation Pro and Player, and VMware Fusion. The flaws could be exploited to escape from virtual machines.Read more in:
Computerworld: VMware patches critical virtual machine escape flaws http://computerworld.com/article/3186418/security/vmware-patches-critical-virtual-machine-escape-flaws.html
VMware: VMware ESXi, Workstation, and Fusion updates address critical and moderate security issues http://www.vmware.com/security/advisories/VMSA-2017-0006.html
Dimnie Malware Now Being Used to Target Github Users (March 30, 2017)
Espionage malware known as Dimnie has recently begun targeting Github users. The malware has been around for several years, but until January, was mainly targeting Russian users. Dimnie has a series of modules that allow attackers to perform various tasks, including keystroke logging, grabbing screenshots, cataloging processes running on the computer, and self-destructing.Read more in:
Ars Technica: Someone is putting lots of work into hacking Github developers https://arstechnica.com/security/2017/03/someone-is-putting-lots-of-work-into-hacking-github-developers/
Computerworld: Open-source developers targeted in sophisticated malware attack http://computerworld.com/article/3186587/security/open-source-developers-targeted-in-sophisticated-malware-attack.html
Microsoft Unlikely to Patch IIS 6.0 Vulnerability (March 29 & 30 2017)
Microsoft says it is unlikely that it will fix a vulnerability in IIS 6 web server that has been exploited in attacks since last summer. The flaw allows attackers to run code on vulnerable servers with privileges equal to those of the user running the application. Microsoft ended support for IIS Server in July 2015 and said that "the issue does not affect currently supported versions." The software is running on an estimated 600,000 servers.[Editor Comments]
[Honan] This is a good example of why organisations need to plan on how they ensure their systems are running on properly supported platforms. Securing an application or system does not end once that system is installed but needs to be an ongoing process for the lifetime that the solution will be in place.
[Williams] It is critical to note that while IIS is running on many publicly available web servers, not all of them are vulnerable to the exploit. Still, this highlights why it is such a big deal to update your servers (since this vulnerability will not be patched). Many clients we work with had update plans for XP, but completely failed to do the same for Windows Server 2003. Maybe now update plans will be taken more seriously.
Read more in:
Computerworld: Millions of websites affected by unpatched flaw in Microsoft IIS 6 web server http://computerworld.com/article/3186667/security/millions-of-websites-affected-by-unpatched-flaw-in-microsoft-iis-6-web-server.html
ZDNet: Windows zero-day affects 600,000 older servers, but likely won't be patched http://www.zdnet.com/article/windows-web-server-zero-day-likely-wont-be-patched/
ThreatPost: Publicly Attacked Microsoft IIS Zero Day Unlikely to be Patched https://threatpost.com/publicly-attacked-microsoft-iis-zero-day-unlikely-to-be-patched/124641/
IBM X-Force Threat Intelligence Index Report (March 28 & 30, 2017)
According to IBM's X-Force Threat Intelligence Index Report, 10,197 vulnerabilities were disclosed and more than 4 billion records were compromised in 2016. The report also says that the healthcare industry saw more malicious insider cybersecurity incidents than any other sector. Clients monitored by X-Force saw a decrease in attacks in 2016 from 2015. The data in the report were gathered from X-Force monitored security clients as well as from "non-customer assets such as spam sensors and honeynets."[Editor Comments]
[Murray] The health care industry suffers from a culture of gossip about patients among caregivers. HIPAA has had the perverse effect of slowing the use of IT and this has aggravated the problem.
Read more in:
eWeek: IBM X-Force Report Reveals a Record Number of Vulnerabilities in 2016 http://www.eweek.com/security/ibm-x-force-report-reveals-a-record-number-of-vulnerabilities-in-2016
CyberScoop: Health care industry is king of the malicious insider threat https://www.cyberscoop.com/health-care-industry-king-malicious-insider-threat/
To VPN or Not to VPN (March 30, 2017)
As people concerned about their Internet privacy consider turning to VPNs (virtual private networks) Brian Krebs discusses their benefits and drawbacks. He cautions readers that "It's important to understand the limitations of this technology, and to take the time to research providers before entrusting tem with virtually all your browsing data - and possibly even compounding your privacy woes in the process." Krebs also notes that, "virtually nothing has changed about the privacy of the average American's connection to the Internet as a result of this action by Congress."[Editor Comments]
[Williams] Three points here. One: Your ISP (if they care) can discover you are running a VPN, which may be considered suspicious. Two: How well do you trust your VPN provider, because you are trusting them with a lot. Also, if the government wants to spy on you they can simply monitor VPN exit points. All the people doing things worth hiding probably come from there anyway... Three: Most of the FCC regulations hadn't come into force yet, so the bill hasn't measurably changed much today. It does however ensure that more robust privacy regulations are not enforced.
Read more in:
KrebsOnSecurity: Post-FCC Privacy Rules, Should You VPN? https://krebsonsecurity.com/2017/03/post-fcc-privacy-rules-should-you-vpn/
Splinter: Protecting the Privacy of Public Database Queries (March 28 & 29, 2017)
Researchers from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) have developed a system called Splinter that protects the privacy of users querying public databases by breaking the query into pieces to be handled by different but identical databases. As long as just one of the providers is trustworthy, the content of the query cannot be detected. Splinter employs a "cryptographic primitive" called Function Secret Sharing (FSS) that keeps the query private "unless all the providers collude" and does not make undue demands on system CPUs. The researchers presented a paper on Splinter at the USENIX Symposium on Networked Systems Design and Implementation in Boston earlier this week.Read more in:
The Register: CompSci boffins propose scheme to protect privacy in database searches http://www.theregister.co.uk/2017/03/28/function_secret_sharing/
FrankWang.org: Practical Private Queries on Public Data https://www.frankwang.org/papers/wang-splinter.pdf
Guilty Plea in Ebury Botnet Case (March 28 & 29, 2017)
Maxim Senakh, a Russian citizen, has pleaded guilty in a Minnesota court to conspiracy to violate the Computer Fraud and Misuse Act and to commit wire fraud. Senakh was responsible for distributing a SSH rootkit backdoor Trojan known as Ebury, which steals OpenSSH login credentials, then uses them to create a botnet. The Ebury botnet was used to generate traffic for click fraud schemes and spam campaigns.Read more in:
CNET: Russian hacker pleads guilty to get-rich-quick botnet https://www.cnet.com/news/russian-hacker-pleads-guilty-for-his-get-rich-quick-botnet/
ZDNet: Russian hacker pleads guilty in global botnet case http://www.zdnet.com/article/russian-hacker-pleads-guilty-in-global-botnet-case/
DoJ: Russian Citizen Pleads Guilty For Involvement IN Global Botnet Conspiracy https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy
Apple Updates for macOS, iOS, and Safari (March 28, 2017)
Apple has released updates to fix numerous security issues in macOS, iOS, and Safari. macOS has been updated to version 10.12.4; iOS has been updated to version 10.3; and Safari has been updated to version 10.1. Apple has also released updates for watchOS and tvOS.[Editor Comments]
[Neely] With iOS 10.3 Apple raised the bar on security by nagging users to enable two-factor authentication for their Apple ID. Apple put a warning that remains in the settings application until manually cleared or two-factor authentication is configured. Apple makes the setup easy, allowing configuration from iOS devices, Web Browsers and OSX devices. This is an important first step to securing your iCloud account. Note: it is only validated upon first login from a new device, change your password or erase a device. Validating the login from a device makes it a trusted device which can then also receive verification codes. You can also add additional trusted phone numbers for redundancy. Consider having a trusted device that stays behind when traveling. Apple did a good job explaining the process: https://support.apple.com/en-us/HT204915
Read more in:
The Register: As of today, iThings are even harder for police to probe http://www.theregister.co.uk/2017/03/28/apple_file_system_debuts/
eWeek: Apple Patches Large Number of Flaws in iOS, macOS Updates http://www.eweek.com/security/apple-patches-large-number-of-flaws-in-ios-macos-updates
Threatpost: Apple Fixes 223 Vulnerabilities Across macOS, iOS, Safari https://threatpost.com/apple-fixes-223-vulnerabilities-across-macos-ios-safari/124599/
Apple: About the security content of macOS Sierra 10.12.4 ... https://support.apple.com/en-us/HT207615
Apple: About the security content of iOS 10.3 https://support.apple.com/en-us/HT207617
Apple: About the security content of Safari 10.1 https://support.apple.com/en-us/HT207600
INTERNET STORM CENTER TECH CORNER
New Exploit Variant for Recent Struts2 Vulnerability
https://blog.gdssecurity.com/labs/2017/3/27/an-analysis-of-cve-2017-5638.htmlPoC Exploit for iBook ePub JavaScript Vulnerability
https://s1gnalcha0s.github.io/ibooks/epub/2017/03/27/This-book-reads-you-using-JavaScript.htmlMicrosoft Docs.com Leak
https://twitter.com/gossithedog/status/845446263244050434Symantec SSL CA tool
https://www.renditioninfosec.com/socapps/sslcheck/index.phpLogical and Physical Security Correlation
https://isc.sans.edu/forums/diary/Logical+Physical+Security+Correlation/22243/Recent Mirai DDoS Attacks
https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.htmlCrusader Injects Fake Support Phone Numbers into Websites
https://www.bleepingcomputer.com/news/security/adware-replaces-phone-numbers-for-security-firms-returned-in-search-results/VMWare Closes Pwn2Own Guest Escape Vulnerabilities
http://www.vmware.com/security/advisories/VMSA-2017-0006.htmlApple iCloud for Windows Update
https://support.apple.com/de-de/HT207607Diverting built-in features for the bad
https://isc.sans.edu/forums/diary/Diverting+builtin+features+for+the+bad/22250/Fake Job Offers to GitHub Developers Include Malware
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/Drones with Lasers!
https://arxiv.org/pdf/1703.07751.pdf***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create