SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #30
April 14, 2017TOP OF THE NEWS
Dallas Sirens Triggered by Radio Signal Hack
WordPress Sites Attacked Through Vulnerable Home Routers
Patched Word Flaw Used by Governments and Criminals
THE REST OF THE WEEK'S NEWS
DNS Server Outage Due to DDoS, Says Melbourne IT
NSA Cybersecurity Defense Exercise Challenges Service Academy Cadets
SAP's April Security Notes Include TREX Update
SWIFT's New Fraud Prevention Tool
Microsoft Retires Security Bulletin Model
Ohio Prison Inmates Built Secret Computers and Hid Them in the Ceiling
Patch Tuesday Includes Fix for Zero-Day Word Flaw
Adobe Releases Updates for Flash, Reader, and Other Products
Computer Engineer Arrested for Allegedly Stealing Proprietary Code
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER************************** Sponsored By Cisco Systems *************************
The cloud opens up a whole new world for businesses; but it also creates fresh opportunities for attackers. As cloud adoption rises, so do security risks, with one of the biggest being a lack of network visibility. Read our FREE eBook and learn how to extend network visibility to the cloud for comprehensive threat protection. http://www.sans.org/info/194242
********************************************************************************
TRAINING UPDATE
-- SANS Automotive Cybersecurity Summit & Training | Detroit, MI | May 1-8, 2017 | https://www.sans.org/event/automotive-cybersecurity-summit/
-- SANS Security West 2017 | San Diego, CA | May 9-18 | https://www.sans.org/event/sans-security-west-2017
-- SANS San Francisco Summer 2017 | June 5-10 | https://www.sans.org/event/san-francisco-summer-2017
-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | https://www.sans.org/event/security-operations-center-summit-2017
-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | https://www.sans.org/event/secure-europe-2017
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | https://www.sans.org/event/cyber-defence-canberra-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
--SANSFIRE 2017 | Washington, DC | July 22-29 | https://www.sans.org/event/sansfire-2017
-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/***************************************************************************
TOP OF THE NEWS
Dallas Sirens Triggered by Radio Signal Hack (April 11 & 12, 2017)
The blast of emergency sirens in Dallas late last Friday night was triggered not by hacking a computer system, as was first posited, but instead by hacking a radio signal. The Federal Communications Commission (FCC) has been notified and law enforcement is investigating the incident. City officials have taken steps to improve the sirens' security, "including added encryption other security measures." Dallas City manager T.C. Broadnax said the incident has prompted him to "begin the process of looking at critical system city-wide, to examine what, if any vulnerabilities may exist."[Editor Comments]
[Neely] This is reminiscent of the discovery in the vulnerability of traffic signal control systems by IOActive researchers in 2014. While security measures were developed to defend that system from radio attack, the deployment has been slow and difficult. The good news here is not only is the city of Dallas actively applying the updates to the encryption used to protect their system, but also reviewing the security of their other critical systems. When the system was deployed, the system was designed to last, as-is for many years (20-30) and the encryption was sufficiently robust to protect the system from misuse, just as DES used to be good enough to protect microwave transmissions, and technology such as SDR and well as the availability of compute resources to defeat it have now rendered that encryption obsolete.
[Williams] Whether the edge of the network is at an unsecured network jack, an 802.11 signal or any other radio interface, security matters. Unfortunately, many in infosec fail to understand the risk from assets insecurely networked, particularly those in the ISM band.
Read more in:
WSJ: Tornado-Siren False Alarm Shows Radio Hacking-Risk https://www.wsj.com/articles/tornado-siren-false-alarm-shows-radio-hacking-risk-1492042082
Ars Technica: Pirate radio: Signal spoof set off Dallas emergency sirens, not network hack https://arstechnica.com/information-technology/2017/04/dallas-siren-hack-used-radio-signals-to-spoof-alarm-says-city-manager/
Computerworld: Hacked Dallas sirens get extra encryption to fend off future attacks http://computerworld.com/article/3189079/security/hacked-dallas-sirens-get-extra-encryption-to-fend-off-future-attacks.html
Govdelivery: City Manager update on outdoor siren warning system https://content.govdelivery.com/bulletins/gd/TXDALLAS-1936de1?wgt_ref=TXDALLAS_WIDGET_3
WordPress Sites Attacked Through Vulnerable Home Routers (April 12, 2017)
Attackers are hijacking vulnerable home routers to launch attacks against WordPress sites. The attacks exploit two flaws in the TR-069 router management protocol to send malicious requests to port 7547. Experts have been advising home users to limit access to port 7547. Internet service providers (ISPs) could take steps to help prevent these attacks by filtering traffic coming from the public Internet that is targeting port 7547.[Editor Comments]
[Williams] We have seen a huge uptick in WordPress attack traffic in the last week, which is almost certainly due to this attack. However, telling "home users" to limit access to port 7547 is almost useless. If we expect to combat these types of flaws in the future, we need to issue advice that users can actually follow. I'm happy if a home user has enabled automatic updates. I doubt most know how to block port 7547.
Read more in:
BleepingComputer: Home Routers Used to Hack WordPress Sites https://www.bleepingcomputer.com/news/security/home-routers-used-to-hack-wordpress-sites/
Patched Word Flaw Used by Governments and Criminals (April 12, 2017)
One of the vulnerabilities fixed in Microsoft's Patch Tuesday for April has been used by both governments and criminals. The flaw in Microsoft Word lies in Windows' Object Linking and Embedding (OLE) function. Criminals have been exploiting the vulnerability to spread Dridex banking malware. The vulnerability has also been exploited by governments to conduct espionage.Read more in:
ZDNet: Recently patched Microsoft Word exploit was used by both governments and criminal hackers http://www.zdnet.com/article/recently-patched-microsoft-word-bug-was-exploited-for-surveillance-and-espionage/
The Hill: Report: Microsoft Word flaw was used in both espionage, crime since January http://thehill.com/policy/cybersecurity/328437-report-microsoft-word-flaw-used-in-espionage-crime-since-january
CyberScoop: Millions hit with banking malware using new Microsoft Word zero day https://www.cyberscoop.com/millions-hit-banking-malware-using-new-microsoft-word-zero-day/
*************************** SPONSORED LINKS ********************************
1) Detecting adversaries and threats already inside your network. Get the white paper. http://www.sans.org/info/194247
2) VMRay Analyzer: Fast, in-depth malware analysis. See the difference at the SANS THIR Summit. http://www.sans.org/info/194252
3) What threats keep you up at night? Take SANS survey! Enter to win prize. http://www.sans.org/info/194257
******************************************************************************
THE REST OF THE WEEK'S NEWS
DNS Server Outage Due to DDoS, Says Melbourne IT (April 13, 2017)
Melbourne IT, an Australian domain name registrar, has acknowledged that a distributed denial-of-service (DDoS) attack disrupted web hosting, email, and access to the administration portal. The attack began at 10:00 AM local time on Thursday. Melbourne IT "implemented DDoS mitigation services" and other measures and service was returned to normal by 11:30 AM. The attack affected Melbourne IT subsidiaries Netregistry and TTP Wholesale as well.[Editor Comments]
[Williams] DDoS is notoriously difficult to protect against. In many cases organizations look to protect web servers from DDoS but neglect other network assets. This case shows how critical DNS servers are for service providers. Organizations should consider offloading DNS for public facing assets to a service provider with adequate DDoS protection to avoid these sorts of outages.
[Northcutt] It has happened before and it will happen again. I guess someone wants to hold a registrar or the whole Internet hostage. More serious root server attacks include:
https://www.theregister.co.uk/2015/12/08/internet_root_servers_ddos/
https://blog.thousandeyes.com/ddos-attack-varying-impacts-dns-root-servers/
Read more in:
ZDNet: Melbourne IT DNS outage has been 'mitigated' http://www.zdnet.com/article/melbourne-it-dns-outage-has-been-mitigated/
ZDNet: Melbourne IT confirms DDoS attack behind DNS outage http://www.zdnet.com/article/melbourne-it-confirms-ddos-attack-behind-dns-outage/
NSA Cybersecurity Defense Exercise Challenges Service Academy Cadets (April 12 & 13, 2017)
The NSA's annual Cybersecurity Defense Exercise (CDX) took place this week. Teams of students from service academies in the US and Canada were challenged with protecting networks they create from attackers while ensuring that they remained resilient and reliable for everyday users. The exercise environment comprises four cells: the attackers are the red cell; the defenders are the blue cell; referees are the white cell; and "neutral users" are the gray cell. Participants worked from labs at their own institutions.Read more in:
CyberScoop: Inside the NSA's CDX, a high-tech competition pitting cadets against elite hackers https://www.cyberscoop.com/inside-nsas-cdx-high-tech-competition-pitting-cadets-elite-attackers/?category_news=technology
FNR: NSA gives military students a leg up on cyber with real-time exercise http://federalnewsradio.com/cybersecurity/2017/04/nsa-gives-military-students-leg-cyber-real-time-exercise/
SAP's April Security Notes Include TREX Update (April 12 & 13, 2017)
On Tuesday, April 11, SAP released 27 Security Notes, including a fix for a remote code execution flaw in SAP TREX/BWA that is rated 9.4 out of 10 on the severity scale. That flaw was first patch in 2015, but that fix did not completely address the problem.Read more in:
The Register: SAP's TREX exposed HANA, NetWeaver http://www.theregister.co.uk/2017/04/13/sap_trex_patch/
V3: Patch Tuesday: SAP publishes 27 Security Notes, including one with a 'severity rating' of 9.4 http://www.v3.co.uk/v3-uk/news/3008355/patch-tuesday-sap-publishes-27-security-notes-including-one-with-a-severity-rating-of-94
Threatpost: SAP Updates Two-Year-Old Patch for TREX Vulnerability https://threatpost.com/sap-updates-two-year-old-patch-for-trex-vulnerability/124936/
SAP: SAP Security Patch Day - April 2017 https://blogs.sap.com/2017/04/11/sap-security-patch-day-april-2017/
SWIFT's New Fraud Prevention Tool (April 12 & 13, 2017)
International banking messaging service SWIFT is introducing an anti-fraud payment controls service that lets users "screen their payment messages based on their chosen parameters... to detect any unusual message flows." The service will also provide real-time alerts about messages that appear suspicious. The tool is part of the Customer Security Programme SWIFT implemented following the USD 81 million theft from the Bangladesh Bank's account at the Federal Reserve Bank of New York.Read more in:
The Register: SWIFT on security: Fresh anti-bank-fraud defenses now live http://www.theregister.co.uk/2017/04/13/swift_antifraud_payments_service/
The Hill: Interbank messaging service SWIFT launches new tool to prevent fraud http://thehill.com/policy/cybersecurity/328504-interbank-messaging-service-swift-launches-new-tool-to-prevent-fraud
SWIFT: SWIFT launches new anti-fraud payment control service for customers https://www.swift.com/news-events/news/swift-launches-new-anti-fraud-payment-control-service-for-customers
Microsoft Retires Security Bulletin Model (April 12, 2017)
With its April security updates, Microsoft has eliminated the security bulletins it has been issuing for years. Microsoft initially said the bulletins would be retired as of February. The bulletins have been replaced with a searchable database of support documents, accessible through the Security Update Guide portal.Read more in:
Computerworld: Microsoft kills off security bulletins after several stays http://computerworld.com/article/3189686/windows-pcs/microsoft-kills-off-security-bulletins-after-several-stays.html
Microsoft: Security Update Guide Portal https://portal.msrc.microsoft.com/en-us/security-guidance
Ohio Prison Inmates Built Secret Computers and Hid Them in the Ceiling (April 12, 2017)
Inmates at an Ohio prison managed to build two computers from parts taken from a prison computer skills and recycling program. The prisoners hid the computers in the ceiling of the facility and used them to connect to the prison's network, where they were used to apply for credit cards, research tax refund fraud, and obtain prison passes for restricted areas. Officials were alerted to the problem when the Ohio Department of Rehabilitation and Correction (ODRC) IT department received an email alerting them that a computer had exceeded its daily Internet use threshold. The computers were discovered in July 2015, ODRC did not report them immediately. The five inmates involved have been moved to other facilities.Read more in:
Ars Technica: Inmates built computers hidden in ceiling, connected them to prison network https://arstechnica.com/tech-policy/2017/04/inmates-built-computers-hidden-in-ceiling-connected-them-to-prison-network/
The Register: Prisoners built two PCs from parts, hid them in the ceiling, connected to the state's network and did cybershenanigans http://www.theregister.co.uk/2017/04/12/prisoners_built_computer_connected_to_states_network/
Computerworld: Crafty Ohio inmates scavenged parts, built PCs for hacking and hid them in ceiling http://computerworld.com/article/3189177/security/crafty-ohio-inmates-scavenged-parts-built-pcs-for-hacking-and-hid-them-in-ceiling.html
BleepingComputer: Five Inmates Built Two PCs and Hacked a Prison From Within https://www.bleepingcomputer.com/news/security/five-inmates-built-two-pcs-and-hacked-a-prison-from-within/
Ohio IG: Report of Investigation (PDF) http://watchdog.ohio.gov/Portals/0/pdf/investigations/2015-CA00043.pdf
Patch Tuesday Includes Fix for Zero-Day Word Flaw (April 11 & 12, 2017)
Microsoft's April batch of security updates includes a fix for a zero-day flaw in Word that is being actively exploited. In all, the release addresses 45 vulnerabilities in Office, Internet Explorer, edge, and other products. The April release also marks the shift from Security Bulletins to the new Security Update Guide portal.Read more in:
The Register: Cowardly Microsoft buries critical Hyper-V, WordPad, Office, Outlook, etc security patches in normal fixes http://www.theregister.co.uk/2017/04/11/patch_tuesday_mess/
ZDNet: Microsoft fixes 'critical' Office Word security flaw under active attack http://www.zdnet.com/article/microsoft-fixes-exploited-critical-word-security-flaw/
DarkReading: Microsoft Office Zero-Day Patched After Months of Attacks http://www.darkreading.com/vulnerabilities---threats/microsoft-office-zero-day-patched-after-months-of-attacks/d/d-id/1328607?
eWeek: Microsoft Patches Critical Zero-Day Exploit in Office Suite http://www.eweek.com/security/microsoft-patches-critical-zero-day-exploit-in-office-suite
Softpedia: Microsoft Fixes 45 Security Flaws, Some Allowing Hackers to Hijack Your PC http://news.softpedia.com/news/microsoft-fixes-45-security-flaws-some-allowing-hackers-to-hijack-your-pc-514806.shtml
Microsoft: Security Update Guide Portal https://portal.msrc.microsoft.com/en-us/security-guidance
Adobe Releases Updates for Flash, Reader, and Other Products (April 11 & 12, 2017)
Adobe has released security updates to address nearly 60 vulnerabilities in Flash Player, Acrobat and Reader, Photoshop, Adobe Campaign, and the Adobe Creative Cloud App. Of the 59 flaws fixes, 44 are rated critical.[Editor Comments]
[Murray] Flash continues to leak literally "like a sieve." One hopes that the community is finally getting the message and is removing Flash rather than trying to patch it. One cannot patch Flash to any reasonable level of confidence. There may be no other single measure available to the community that will provide the bang for the buck of killing Flash once and for all.
Read more in:
KrebsOnSecurity: Critical Security Updates From Adobe, Microsoft https://krebsonsecurity.com/2017/04/critical-security-updates-from-adobe-microsoft/
Threatpost: Adobe Patches 59 Vulnerabilities Across Flash, Reader, Photoshop https://threatpost.com/adobe-patches-59-vulnerabilities-across-flash-reader-photoshop/124914/
BleepingComputer: Adobe Publishes Security Updates for Flash, Reader, Photoshop, and Creative Cloud https://www.bleepingcomputer.com/news/security/adobe-publishes-security-updates-for-flash-reader-photoshop-and-creative-cloud/
Adobe: Security updates available for Adobe Flash Player https://helpx.adobe.com/security/products/flash-player/apsb17-10.html
Adobe: Security Updates Available for Adobe Acrobat and Reader https://helpx.adobe.com/security/products/acrobat/apsb17-11.html
Computer Engineer Arrested for Allegedly Stealing Proprietary Code (April 7, 10, & 11, 2017)
The FBI has arrested Zhengquan Zhang, a computer engineer at financial firm KCG Holdings, for allegedly stealing proprietary trading algorithm source code and encryption keys. Zhang allegedly stole more than 3 million files from KCG. He has been charged with theft of trade secrets.[Editor Comments]
[Murray] This may not have been a case of "excessive privilege" but it continues to be widespread problem. We need more control, transparency, and accountability over privileged users. This must include strong authentication, multi-party controls, and the use of tools like CyberArk.
Read more in:
DoJ: Computer Engineer Arrested For Theft Of Proprietary Trading Code From His Employer https://www.justice.gov/usao-sdny/pr/computer-engineer-arrested-theft-proprietary-trading-code-his-employer
CyberScoop: Insider charged with writing malware to steal Wall Street firm's crown jewel algorithms https://www.cyberscoop.com/rogue-insider-charged-writing-malware-steal-wall-street-firms-crown-jewel-algorithms/
The Register: Software dev cuffed for 'nicking proprietary financial trading code' https://www.theregister.co.uk/2017/04/11/software_developer_cuffed_for_stealing_code/
INTERNET STORM CENTER TECH CORNER
MSFT/Adobe Patch Tuesday
https://isc.sans.edu/forums/diary/April+2017+Microsoft+Patch+Tuesday/22288/Solaris 0-Day
https://twitter.com/hackerfantastic/status/851555538597011460OWASP Top 10 Update
https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdfMole Ransomware Delivered via Fake USPS E-Mails
https://isc.sans.edu/forums/diary/Malspam+on+20170411+pushes+yet+another+ransomware+variant/22290/Identifying httpS-Protected Netflix Videos in Real-Time
https://www.mjkranch.com/docs/CODASPY17_Kranch_Reed_IdentifyinghttpSNetflix.pdfSMS Messages Used to Control Oven
https://www.pentestpartners.com/blog/iot-Aga-cast-iron-security-flaw/Android Hardening TLS Use
https://android-developers.googleblog.com/2017/04/android-o-to-drop-insecure-tls-version.htmlPacket Captures Filtered By Process
https://isc.sans.edu/forums/diary/Packet+Captures+Filtered+by+Process/22296/C-LDAP Used to Amplify DDoS Attack
https://isc.sans.edu/forums/diary/Akamai+reports+UDP+DDOS+Using+CLDAP+reaching+24Gbps/22300/Juniper Updates
https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVISORIESSAP Patches Code Injection in TREX
https://erpscan.com/press-center/press-release/critical-vulnerability-affects-sap-hana-dozen-sap-applications/More Details About Dallas Siren Hack
https://duo.com/blog/the-dallas-county-siren-hack***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
