SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #31
April 18, 2017TOP OF THE NEWS
Company Sues Former Employee Over Logic Bomb
Man Admits He Broke Into Former Employer's System
Microsoft Publishes Digital Geneva Convention Documents
THE REST OF THE WEEK'S NEWS
2017 National Collegiate Cyber Defense Competition
VMware Update Fixes Critical Remote Code Execution Vulnerability
Army Reserve Wants Civilians with Cyber Skills
BankBot Trojan Evading Detection
Plea Change in Government Computer Hacking Case
Microsoft Patched Shadow Brokers Windows Flaws Before Data Dump
Microsoft Blocks Updates for Older Versions of Windows on New Processors
Shadow Brokers Release Documents That Suggest NSA Infiltrated SWIFT-Connected Firms
Old Systems Need People Who Know How to Fix Them
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER************************** Sponsored By Splunk ***************************
Splunk named a leader in the Forrester Wave: Security Analytics Platforms, Q1 2017. To assess the state of the security analytics (SA) market and see how vendors stack up against each other, Forrester evaluated the strengths and weaknesses of top SA vendors. Register for a complimentary copy to discover why. http://www.sans.org/info/194260
****************************************************************************
TRAINING UPDATE
-- SANS Automotive Cybersecurity Summit & Training | Detroit, MI | May 1-8, 2017 | https://www.sans.org/event/automotive-cybersecurity-summit/
-- SANS Security West 2017 | San Diego, CA | May 9-18 | https://www.sans.org/event/sans-security-west-2017
-- SANS San Francisco Summer 2017 | June 5-10 | https://www.sans.org/event/san-francisco-summer-2017
-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | https://www.sans.org/event/security-operations-center-summit-2017
-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | https://www.sans.org/event/secure-europe-2017
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | https://www.sans.org/event/cyber-defence-canberra-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
--SANSFIRE 2017 | Washington, DC | July 22-29 | https://www.sans.org/event/sansfire-2017
-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/***************************************************************************
TOP OF THE NEWS
Company Sues Former Employee Over Logic Bomb (April 13 & 14, 2017)
Allegro MicroSystems in Massachusetts is suing a former employee for allegedly planting a logic bomb in a financial database. Nimesh Patel began working at Allegro in 2002 and resigned on January 8, 2016. Court documents allege that Patel used an unreturned company-issued laptop and another employee's credentials to access the company's network on January 31, 2016, when he planted the logic bomb. It was scheduled to activate on April 1, the first day of the company's financial year. The sabotage was detected on April 14, and within two weeks, the logic bomb code was found.[Editor Comments]
[Williams] Logic bombs are notoriously difficult to find in a network. The best defense is using good user behavior analytics (UBA) to stop the attack in the first place.
Read more in:
BleepingComputer: Former Sysadmin Accused of Planting "Time Bomb" in Company's Database https://www.bleepingcomputer.com/news/security/former-sysadmin-accused-of-planting-time-bomb-in-companys-database/
The Register: Sysadmin 'trashed old bosses' database with ticking logic bomb http://www.theregister.co.uk/2017/04/14/sysadmin_crash_former_employers_oracle_db/
RegMedia: Civil Action Complaint: Allegro Microsystems, LLC vs. Nimesh Patel https://regmedia.co.uk/2017/04/13/allegrovpatelcomplaint.pdf
Man Admits He Broke Into Former Employer's System (April 17, 2017)
Jason Needham has pleaded guilty to breaking into a former employer's network numerous times over a two-year period to steal proprietary information. Needham is the co-owner of an engineering company; his former employer is one of his business competitors.[Editor Comments]
[Henry] I continue to see examples, time after time, of employees and former employees gaining access to networks they have no business being in. While constant monitoring and the deployment of appropriate tripwires can help to detect malicious insider employee activity, eliminating the access of employees once they're no longer employed is a fundamental step in information security. In this case it appears the subject accessed the email account of a former colleague over two years; had those credentials been periodically changed as they should have been (at least every 90 days), the impact of this loss could have been mitigated or entirely eliminated.
[Murray] Most separations are amicable, but, even so, all must be complete and timely. This is particularly true for privileged employees. Before granting a privilege, management must know how to effectively withdraw it at termination time. This will include controls that ensure that employees cannot expand their privileges in ways that are invisible to management. This will usually involve multi-party controls.
[Williams] If an employee leaves for a competitor, it is almost always worth the cost to get competent forensics examiners to preserve the state of the employee's work machine(s) and conduct a preliminary examination. Far too often, even the most trustworthy employees take work product with them to a competitor.
Read more in:
Dark Reading: Man Admits Hacking into His Former Employer's Network http://www.darkreading.com/endpoint/man-admits-hacking-into-his-former-employers-network/d/d-id/1328653?
DOJ: Tennessee Man Pleads Guilty to Unauthorized Access of Former Employer's Networks https://www.justice.gov/opa/pr/tennessee-man-pleads-guilty-unauthorized-access-former-employer-s-networks
Microsoft Publishes Digital Geneva Convention Documents (April 14, 2017)
Microsoft has published a trio of policy papers in support of a Digital Geneva Convention. Two of the documents describe rules for countries and technology companies to abide by in cyberspace; the third calls for establishing an international body to attribute malicious cyberattacks. In a blog post, Microsoft president and Chief Legal Officer Brad Smith, noted that while the G7 has "published a declaration recognizing the urgent need to establish international norms for responsible nation state behavior in cyberspace," voluntary norms do not go far enough. Smith, who spoke about a Digital Geneva Convention at the RSA Conference earlier this year, wrote, "We need to... pursue a legally binding framework that would codify rules for governments and thus help prevent extraordinary damage."[Editor Comments]
[Pescatore] The phrase "Think globally, act locally" (which came out of city planning over 100 years ago) definitely applies here. There is a real need for global norms to think of cyber weapons much the way physical weapons of mass destruction are considered. However, those norms move slooowly and never protect against rogue actors, anyway. On the cyber side, local action (especially by technology sellers, but by technology users as well) can eliminate or reduce vulnerability to the vast majority of cyber attacks. Global treaties prohibiting the use of chemical warfare would be meaningless if everyone was paying for and drinking contaminated water or eating spoiled food.
[Henry] We are well past the time where "this sounds like a good idea." The stakes for our global interconnected society are too high, and the failure to implement some framework binding on governments may be catastrophic. The time for this is now.
Read more in:
NextGov: Microsoft Outlines Cyber Geneva Convention Proposal http://www.nextgov.com/cybersecurity/2017/04/microsoft-outlines-cyber-geneva-convention-proposal/137043/?oref=ng-channelriver
Microsoft: Growing consensus on the need for an international treaty on nation state attacks https://blogs.microsoft.com/on-the-issues/2017/04/13/growing-consensus-need-international-treaty-nation-state-attacks/#sm.0000007mx8kgaypf2hxpi5ku113c3
Microsoft: The need for a Digital Geneva Convention (Brad Smith at RSA 2017)https://blogs.microsoft.com/on-the-issues/2017/02/14/need-digital-geneva-convention/#sm.0000007mx8kgaypf2hxpi5ku113c3
Microsoft: A Digital Geneva Convention to protect cyberspace (PDF) https://mscorpmedia.azureedge.net/mscorpmedia/2017/04/Policy-Paper-Digital-Geneva-Convention.pdf
Microsoft: A Tech Accord to protect people in cyberspace (PDF) https://mscorpmedia.azureedge.net/mscorpmedia/2017/04/Policy-Paper-Industry-Accord.pdf
Microsoft: An attribution organization to strengthen trust online (PDF) https://mscorpmedia.azureedge.net/mscorpmedia/2017/04/Policy-Paper-Attribution-Organization.pdf
*************************** SPONSORED LINKS *****************************
1) Using the Power of Artificial Intelligence to Minimize Your Cybersecurity Attack Surface. Learn More: http://www.sans.org/info/194265
2) Newly Commissioned Research Reveals Alarming Facts Around the Real-World State of Security Operations in 2017 - And What's Being Done. Register: http://www.sans.org/info/194270
3) Take the Threat Landscape Survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/194275
******************************************************************************
THE REST OF THE WEEK'S NEWS
2017 National Collegiate Cyber Defense Competition (April 17, 2017)
A team of students from the University of Maryland, Baltimore County emerged as the winner of the 2017 National Collegiate Cyber Defense Competition. Regional competitions narrowed a field of more than 230 teams to just 10 that participated in the championship round in San Antonio, Texas, last week.Read more in:
CyberScoop: University of Maryland, Baltimore County, wins national cybersecurity championships https://www.cyberscoop.com/national-collegiate-cyber-defense-competition-university-of-maryland-baltimore-county/
Fifth Domain Cyber: Maryland college wins 2017 National Collegiate Cyber Defense Championship http://fifthdomain.com/2017/04/17/maryland-college-wins-2017-national-collegiate-cyber-defense-championship/
VMware Update Fixes Critical Remote Code Execution Vulnerability (April 17, 2017)
VMware has fixed a critical flaw in its vCenter Server that could be exploited to execute code remotely. The vulnerability affects vCenter versions 6.5 and 6.0. Users are urged to upgrade to versions 6.5c or 6.0U3b. The security issue lies in the way BlazeDS processes AMF3 messages.Read more in:
Threatpost: VMware Fixes Critical RCE in vCenter Server https://threatpost.com/vmware-fixes-critical-rce-in-vcenter-server/125000/
VMware: VMware vCenter Server updates resolve a remote code execution vulnerability via BlazeDS https://www.vmware.com/security/advisories/VMSA-2017-0007.html
Army Reserve Wants Civilians with Cyber Skills (April 17, 2017)
The US Army wants to better leverage the cyber skills of its reservists; a pilot program aims to catalog soldiers' talents. The military is also looking for ways to bring in National Guard and Army Reserve members with skills is certain areas, including digital forensics and crypto-analysis. One Army reservist, who has taken a leave from his private sector job to help fight ISIS on the cyber front, says he finds the work rewarding, and "the ability to participate in some way in a real mission, ... you can't find that in the private sector."Read more in:
Fifth Domain Cyber: Army taps reservists with cyber skills to fight ISIS militants http://fifthdomain.com/2017/04/17/army-taps-reservists-with-cyber-skills-to-fight-isis-militants/
BankBot Trojan Evading Detection (April 17, 2017)
Malware known as BankBot has been slipping past Google security measures and finding its way into the Google Play store hidden in apps. BankBot targets bank customers in several countries, including Russia, the UK, Austria, Turkey, and Germany.Read more in:
BleepingComputer: Malware Reaches Play Store as Google Wages War Against BankBot Trojan https://www.bleepingcomputer.com/news/security/malware-reaches-play-store-as-google-wages-war-against-bankbot-trojan/
Plea Change in Government Computer Hacking Case (April 17, 2017)
An Arizona man has changed his plea in a case involving March 2015 attacks on municipal government computers in Arizona and Wisconsin. Randall Charles Tucker had earlier pleaded not guilty to charges of intentionally damaging protected computers and threatening to damage protected computers. Tucker has now pleaded guilty to intentionally damaging protected computers that interfered with communications systems used by emergency workers in Madison, Wisconsin.Read more in:
Minneapolis Star Tribune: Arizona man pleads guilty in cyberattack in Wisconsin http://www.startribune.com/plea-hearing-set-in-case-over-hacking-in-arizona-wisconsin/419614473/
Fifth Domain Cyber: Plea expected in hacking of Arizona, Wisconsin government computers http://fifthdomain.com/2017/04/17/plea-expected-in-hacking-of-arizona-wisconsin-government-computers/
Microsoft Patched Shadow Brokers Windows Flaws Before Data Dump (April 15, 16, & 17, 2017)
Microsoft says that it has fixed most of the Windows vulnerabilities in a recent Shadow Brokers data dump of purported NSA hacking tools. Nine zero-day flaws used in Shadow Brokers' exploits were patched in March; three others were not reproducible on supported platforms and were not patched. Microsoft's actions have piqued curiosity: the nine flaws patched in March mention no source for disclosure, leading some to speculate that the NSA disclosed the flaws to Microsoft.[Editor Comments]
[Ullrich] Microsoft was a bit slow reacting to the release of Friday's tools. But it is good to see that they likely have worked behind the scenes after the release of the tools became inevitable, to patch these vulnerabilities. Still, the fact that the March update claimed for example that the vulnerability was not yet being exploited may have delayed the patch in many organizations. A responsible vendor must provide accurate assessments of the exploitability of vulnerabilities to allow customers to correctly prioritize patches. The respective security bulletin still hasn't been updated yet to reflect the fact that these vulnerabilities are actively being exploited (and were exploited at the time the bulletin was released).
[Northcutt] This is an important story. In some ways Harold Martin mirrors the Snowden story, in fact, they both worked for the same defense contractor. And while the Microsoft story is a great cat and mouse story, the weaponized cybertools that gave NSA deep access into the financial system including SWIFT are even more interesting:
https://www.nytimes.com/2016/10/06/us/nsa-leak-booz-allen-hamilton.html
https://www.wired.com/2017/04/major-leak-suggests-nsa-deep-middle-east-banking-system/
Read more in:
Microsoft: Protecting customers and evaluating risk https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/
ZDNet: Microsoft quietly patched Shadow Brokers' hacking tools http://www.zdnet.com/article/microsoft-quietly-patched-latest-shadow-brokers-hacks/
Ars Technica: Mysterious Microsoft patch killed 0days released by NSA-leaking Shadow Brokers https://arstechnica.com/security/2017/04/purported-shadow-brokers-0days-were-in-fact-killed-by-mysterious-patch/
Quartz: Microsoft mysteriously fixed security gaps allegedly used by US spies a month before they leakedhttps://qz.com/960501/microsoft-msft-mysteriously-managed-to-fix-nsa-targeted-security-gaps-revealed-in-shadow-brokers-leak/
Microsoft Blocks Updates for Older Versions of Windows on New Processors (April 14, 2017)
Microsoft has blocked computers running Windows 7 and 8.1 with new processors from receiving updates. Microsoft announced the change in January 2016, when it noted that making the older operating systems run on the newer processors was "challenging." However, some Windows 7 and 8.1 systems running AMD Carrizo chips were also blocked from receiving updates when they should not have been. Supporters of this decision say that the new updates are blocked because they haven't been tested for that configuration.[Editor Comments]
[Williams] The inevitable outcome of this security disaster is that organizations will upgrade hardware because of purchasing cycles programmed long ago and then skip software patches.
Read more in:
Computerworld: Microsoft begins denying updates to some Windows 7 users http://computerworld.com/article/3189957/windows-pcs/microsoft-begins-denying-updates-to-some-windows-7-users.html
Softpedia: Microsoft Mistakenly Bans Updates on Windows 7 PCs Running on AMD Carrizo http://news.softpedia.com/news/microsoft-mistakenly-bans-updates-on-windows-7-pcs-running-on-amd-carrizo-514899.shtml
WindowsReport: Microsoft now blocks Windows 7, 8.1 updates on Ryzen and Kaby Lake systems http://windowsreport.com/windows-7-8-1-updates-blocked-amd-ryzen-kaby-lake/
Shadow Brokers Release Documents That Suggest NSA Infiltrated SWIFT-Connected Firms (April 14 & 15, 2017)
Documents released by Shadow brokers suggests that the NSA may have accessed EastNets, Dubai-based company that helps manage SWIFT transactions for dozens of banks and companies in the Middle East. EastNets has denied that its systems were breached.Read more in:
WSJ: Hacker Group Says U.S. Tried to Breach Money-Transfer System https://www.wsj.com/articles/hacker-group-says-u-s-tried-to-breach-money-transfer-system-1492213619
Threatpost: Shadowbrokers Expose NSA Access to SWIFT Security Bureaus https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/
BleepingComputer: Shadow Brokers Release New Files Revealing Windows Exploits, SWIFT Attacks https://www.bleepingcomputer.com/news/security/shadow-brokers-release-new-files-revealing-windows-exploits-swift-attacks/
Wired: Major Leak Suggest NSA Was Deep in Middle East Banking System https://www.wired.com/2017/04/major-leak-suggests-nsa-deep-middle-east-banking-system/
BBC: US government 'monitored bank transfers' http://www.bbc.com/news/technology-39606575
NYT: Hacking Group Claims N.S.A. Infiltrated Mideast banking System https://www.nytimes.com/2017/04/15/us/shadow-brokers-nsa-hack-middle-east.html
Old Systems Need People Who Know How to Fix Them (April 10, 2017)
Some COBOL-based systems, built in the 1970s and 1980s, are still in use at financial firms, large corporations, and government. New apps and tools written in modern languages and still must interact seamlessly with the old systems. The number of people equipped to address problems with those systems is diminishing. While the cost of addressing operational and interoperability issues may be high, it is less than the cost of completely replacing the old systems. IBM has created training programs to teach young developers the old language.[Editor Comments]
[Murray] Business does not "run" old code. Old code runs the business. Like it or not, applications have a finite useful life. It Is important to know what it is and to have a plan for what to do at the end of the application's life.
Read more in:
Reuters: Banks scramble to fix old systems as IT 'cowboys' ride into sunset http://www.reuters.com/article/us-usa-banks-cobol-idUSKBN17C0D8
INTERNET STORM CENTER TECH CORNER
Detecting SMB Covert Channel "Doublepulsar"
https://isc.sans.edu/forums/diary/Detecting+SMB+Covert+Channel+Double+Pulsar/22312/ETERNALBLUE: Windows SMBv1 Exploit
https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/Detecting IDN Phishing Domains
https://isc.sans.edu/forums/diary/Tool+to+Detect+Active+Phishing+Attacks+Using+Unicode+LookAlike+Domains/22310/Old Linux Kernel Bug Allows for Remote Code Execution via UDP
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=197c949e7798fbf28cfadc69d9ca0c2abbf93191Microsoft Edge JavaScript "fetch" Function Can Be Used to Leak User Data
http://mov.sx/2017/04/16/microsoft-edge-leaks-url.html***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create