SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #3
January 10, 2017TOP OF THE NEWS
DOE Report: Power Grid in 'Imminent Danger' of Cyber AttackStates Making Lists of Breached Companies Public
St. Jude Releases Heart Implant Security Update
THE REST OF THE WEEK'S NEWS
libvncserver Security UpdateTruffleHog Helps Find Hard-Coded Access Keys in Software
Declassified Report Says Putin Ordered Propaganda Campaign to Sway U.S. Election
Feds Drop Case Against Alleged Sex Offender Rather than Reveal Tor Investigation Techniques
Guilty Plea in eMail Breach Case
DHS: U.S. Election Systems are Critical Infrastructure
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Splunk ******************************
Looking for some specific ways to get started using Splunk? We can help. We have a step-by-step online experience to walk you through how to use login activity and Splunk to detect, validate and scope threats in your environment.
Learn more here: http://www.sans.org/info/191292
********************************************************************************
TRAINING UPDATE
--SANS Brussels Winter 2017 | Brussels, Belgium | Jan 16-21, 2017 | https://www.sans.org/event/brussels-winter-2017
--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017
--SANS Las Vegas 2017 | Las Vegas, NV | January 23-30, 2017 | https://www.sans.org/event/las-vegas-2017
--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017
--SANS Southern California - Anaheim 2017 | Anaheim, CA |February 6-11, 2017 | https://www.sans.org/event/anaheim-2017
--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017
--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017
--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017
--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017
--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.
--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/
***************************************************************************
TOP OF THE NEWS
DOE Report: Power Grid in 'Imminent Danger' of Cyber Attack (January 6, 2017)
According to a report from the U.S. Department of Energy (DOE), cyber attacks pose an "imminent threat" to the country's power grid. The report says that attacks are becoming increasingly sophisticated and more frequent. Grid operators have adopted security measures to mitigate the risks of attacks.Read more in:
U.S. Dept. of Energy: Quadrennial Energy Review Second Installment
-https://energy.gov/epsa/downloads/quadrennial-energy-review-second-installment
The Hill: Energy Dept. report highlights new threats to electric grid
-http://thehill.com/policy/energy-environment/313000-doe-report-highlights-new-th
reats-to-electric-grid
Bloomberg: U.S. Grid in 'Imminent Danger' From Cyber-Attack, Study Says
-https://www.bloomberg.com/news/articles/2017-01-06/grid-in-imminent-danger-from-
cyber-threats-energy-report-says
States Making Lists of Breached Companies Public (January 6, 2017)
All but three U.S. states require organizations that experience security breaches affecting their residents to report those breaches. While this information is available if people know to ask for it, four states - California, Indiana, Washington, and Massachusetts - have begun making the information publicly and freely available.Read more in:
Wired: A Few States Now Actually Help You Figure Out if You've Been Hacked
-https://www.wired.com/2017/01/states-now-actually-help-figure-youve-hacked/
Declassified Report Says Putin Ordered Propaganda Campaign to Sway U.S. Election (January 6, 2017)
According to a report from the Office of the Director of National Security, Russian President Vladimir Putin directed ordered a propaganda campaign to interfere in November's U.S. presidential election. The declassified report is an edited version of the longer, classified report that provided details about the methods used in the campaign.Read more in:
Wired: Fed's Damning Report on Russian Election Hack Won't Convince Skeptics
-https://www.wired.com/2017/01/feds-damning-report-russian-election-hack-wont-con
vince-skeptics/
SC Magazine: Declassified intelligence report says Putin, Russia meddled in U.S. presidential election
-https://www.scmagazine.com/declassified-intelligence-report-says-putin-russia-me
ddled-in-us-presidential-election/article/630251/
Computerworld: U.S. says Putin ordered election cyber-meddling to favor Trump
-http://computerworld.com/article/3155436/election-hacking/us-putin-ordered-elect
ion-cyber-meddling-to-favor-trump.html
KrebsOnSecurity: DNI: Putin Led Cyber, Propaganda Effort to Elect Trump, Denigrate Clinton
-https://krebsonsecurity.com/2017/01/dni-putin-led-cyberattack-propaganda-effort-
to-elect-trump-denigrate-clinton/
Federal News Radio: US report: Putin ordered effort to help Trump, hurt Clinton
-http://federalnewsradio.com/cybersecurity/2017/01/classified-report-on-russia-el
ection-hacking-going-to-trump/
St. Jude Releases Heart Implant Security Update (January 9, 2017)
The U.S. Food and Drug Administration (FDA) says that security issues in St. Jude Medical cardiac implant devices could be exploited to run down the battery or alter the device's rhythms. Abbott Laboratories, which recently acquired St. Jude, has released an update to fix the flaws. It will be automatically pushed out to affected devices.[Editor Comments ]
[Jake Williams ]
This release is significant because St. Jude originally denied and downplayed the vulnerabilities released by MedSec and Muddy Waters. This is a validation that at least some of those vulnerabilities were real (and significant enough to warrant an FDA warning). Expect more security researchers to cash in on vulnerabilities by shorting the stock of public companies.
Read more in:
Reuters: St. Jude releases cyber updates for heart devices after U.S. probe
-http://www.reuters.com/article/us-abbott-stjude-heart-idUSKBN14T1WT
CNN: FDA confirms that St. Jude's cardiac devices can be hacked
-http://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack/
*************************** SPONSORED LINKS ********************************
1) Don't Miss: "Hunting with Cyber Deception and Incident Response Automation" Register: http://www.sans.org/info/191297
2) Webcast: Next generation analysts for next generation threats - lessons from deploying best practices to hundreds of SOC teams! Register: http://www.sans.org/info/191302
3) Looking for a solution to your security issue? Visit the SANS Affiliate Directory for a list of vendors who may be able to help! http://www.sans.org/info/191307
******************************************************************************
THE REST OF THE WEEK'S NEWS
libvncserver Security Update (January 5 & 9, 2017)
Debian has released a security update to address a flaw in the libvncserver libraries that "incorrectly processed incoming network packets." The heap-based buffer overflow issue could be exploited to create denial of service (DoS) conditions or execute arbitrary code.[Editor Comments ]
[Jake Williams ]
If you are running VNC in your network, this is a "patch now" event. In general, we recommend that clients not expose remote access services such as VNC and RDP directly to the Internet, preferring VPN or SSH tunneling instead. Having looked at the vulnerability, I think the probability for a remote code execution PoC in the coming weeks is high.
Read more in:
The Register: VNC server library gets security fix
-http://www.theregister.co.uk/2017/01/09/vnc_server_library_gets_security_fix/
Debian: Security Advisory: libvncserver - security update
-https://www.debian.org/security/2017/dsa-3753
TruffleHog Helps Find Hard-Coded Access Keys in Software (January 9, 2017)
A new tool known as TruffleHog searches git repositories to find hard-coded access keys. The tool has been made public. Hard-coding keys in software projects poses security risks. TruffleHog detects high entropy strings that are larger than 20 characters.Read more in:
ZDNet: GitHub secret key finder released to public
-http://www.zdnet.com/article/trufflehog-high-entropy-key-hunter-released-to-the-
masses/
Computerworld: This tool can help weed out hard-coded keys from software projects
-http://computerworld.com/article/3155481/security/this-tool-can-help-weed-out-ha
rd-coded-keys-from-software-projects.html
SC Magazine UK: Secret key-finding tool launched
-https://www.scmagazineuk.com/secret-key-finding-tool-launched/article/630339/
The Register: Hacker publishes GitHub secret key hunter
-http://www.theregister.co.uk/2017/01/09/hacker_publishes_github_secret_key_hunte
r/
GitHub: TruffleHog
-https://github.com/dxa4481/truffleHog
Feds Drop Case Against Alleged Sex Offender Rather than Reveal Tor Investigation Techniques (January 6 & 9, 2017)
The FBI has dropped a case against an alleged sex offender rather than reveal information about the methods used to obtain evidence against him. Authorities arrested a Washington state middle school teacher for allegedly accessing a website through the Tor network known to host child abuse material (pornography). Federal investigators were surreptitiously operating the site at the time, using a tool that revealed Tor users' IP addresses. A judge ordered the FBI to disclose the source code for the tool it used to identify the suspect but instead, the FBI has dropped its appeal.[Editor Comments ]
[Jake Williams ]
Legal precedent aside, the DoJ is sending a message by dropping the case. This may simply be a bureaucratic maneuver where DoJ doesn't have the code to release and FBI won't supply it (or it may not be the FBI's in the first place). More likely it sends the message that the technique is still actively being used in the field. This seems to refute the earlier speculation that the now patched Firefox vulnerability CVE-2016-9079 (
-https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/)
was the vulnerability used by the FBI. This might indicate that the NIT uses more than one vulnerability, or that enough investigation targets are using an unpatched browser to justify keeping the vulnerability a secret.
[William Hugh Murray ]
Since it is prosecutors, not the FBI, that "drops" cases, one infers that this is DoJ policy. One inferred after the Stingray debacle that the people and their representatives did not want law enforcement to hide investigative tools from the courts. One presumes that they hide to avoid the Fourth Amendment requirement for a warrant. Since warrants are routine, one might infer that it is the supervision and limitations that they seek to avoid. Finally, this case might raise the question of whether or not we want law enforcement to operate "honey pots," whether such operation raises the question of entrapment.
Read more in:
The Register: FBI let alleged pedophile walk free rather than explain how they snared him
-http://www.theregister.co.uk/2017/01/06/fbi_lets_people_off_to_keep_methods_secr
et/
Ars Technica: Feds may let Playpen child porn suspect go to keep concealing their source code
-http://arstechnica.com/tech-policy/2017/01/feds-may-let-playpen-child-porn-suspe
ct-go-to-keep-concealing-their-source-code/
Guilty Plea in eMail Breach Case (January 6 & 9, 2017)
Justin Liverman has pleaded guilty to conspiracy to commit unauthorized computer intrusions, identity theft, and telephone harassment for his role in breaking into email accounts belonging to senior U.S. government officials, including CIA director John Brennan's AOL email account. The stolen email messages were published on WikiLeaks. Four other individuals in the U.S. and the U.K. have been arrested in connection with the breach. Liverman faces up to five years in prison.Read more in:
The Register: CIA director AOL email hacker coughs to crime
-http://www.theregister.co.uk/2017/01/06/hacker_of_cia_directors_email_takes_plea
/
Ars Technica: How hackers made life hell for a CIA boss and other top US officials
-http://arstechnica.com/tech-policy/2017/01/how-hackers-made-life-hell-for-a-cia-
boss-and-other-top-us-officials/
U.S. Dept. of Justice: North Carolina Man Pleads Guilty To Hacking Conspiracy That Targeted Senior U.S. Government Officials
-https://www.justice.gov/usao-edva/pr/north-carolina-man-pleads-guilty-hacking-co
nspiracy-targeted-senior-us-government
DHS: U.S. Election Systems are Critical Infrastructure (January 6 & 9, 2017)
The US Department of Homeland Security (DHS) has designated the U.S. election system as a subsector of the Government Facilities critical infrastructure sector. While state and local election officials have expressed concern about the change, according to a statement from DHS Secretary Jeh Johnson, the new designation does not mean that the government is taking over election systems but instead that it is prioritizing the systems to receive cybersecurity assistance.[Editor Comments ]
[William Hugh Murray ]
Even if one grants that election systems are infrastructure, cyber security is not the problem. This may be the infrastructure that remains the least dependent upon computers attached to the public networks.
[Gal Shpantzer ]
Note that the campaigns and the parties (DNC/RNC/etc) are not in scope to this designation. So if the Podesta and DNC hack were to happen in 2020, this designation would not apply any further resources to the 2016 targets.
Read more in:
Washington Post: US designates election infrastructure as 'critical'
-https://www.washingtonpost.com/politics/us-likely-to-designate-election-infrastr
ucture-as-critical/2017/01/06/64494986-d45c-11e6-9651-54a0154cf5b3_story.html
Dark Reading: DHS Designates Election Systems As Critical Infrastructure
-http://www.darkreading.com/risk/dhs-designates-election-systems-as-critical-infr
astructure/d/d-id/1327856?
SC Magazine: DHS designated election systems as critical infrastructure, under 'Government Facilities' category
-https://www.scmagazine.com/dhs-designates-election-systems-as-critical-infrastru
cture-under-government-facilities-category/article/630523/
U.S. Dept. of Homeland Security: Statement by Secretary Jeh Johnson on the designation of Election Infrastructure as a Critical Infrastructure Subsector
-https://www.dhs.gov/news/2017/01/06/statement-secretary-johnson-designation-elec
tion-infrastructure-critical
INTERNET STORM CENTER TECH CORNER
Careful With Security Tools That Submit Files to Virustotal-https://isc.sans.edu/forums/diary/Great+Misadventures+of+Security+Vendors+Absurd
+Sandboxing+Edition/21895/
Vulnerable Security Tools Can Be Used Against You
-https://isc.sans.edu/forums/diary/Using+Security+Tools+to+Compromize+a+Network/2
1903/
Elaborate Ransomware Attacks
-http://www.actionfraud.police.uk/news/department-of-education-ransomware-alert-j
an17
E-Mail and iTunes Popup Extortion
-https://blog.malwarebytes.com/101/mac-the-basics/2017/01/tech-support-scam-page-
attempts-denial-of-service-via-mail-app/
Damn Vulnerable Web Sockets (DVWS) Demonstrates WebSocket Vulnerabilities
-https://github.com/interference-security/DVWS
St. Jude Medical Patches Vulnerable Cardiac Devices
-https://threatpost.com/st-jude-medical-patches-vulnerable-cardiac-devices/122955
/
Cracking Hashes of Passwords 12 Characters and Longer
-http://www.netmux.com/blog/cracking-12-character-above-passwords
VNC Library Update
-https://www.debian.org/security/2017/dsa-3753
***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
