SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #39
May 16, 2017WannaCry News
WannaCry: SANS Resources
WannaCry: Who Was Affected? How Did It Spread?
WannaCry: So Bad, Even XP Gets a Patch
WannaCry: Microsoft Tells NSA to Stop Hoarding Zero-Days
WannaCry: Kill Switch
WannaCry: Malware May Have Ties to North Korea
The Rest of the Weeks' News
US Army Plans to Complete Migration to Windows 10 by End of Year
Securing the Internet of Things
Foreign Businesses Seek Delay of Chinese Cyber Law
NIST Draft Guidance for Infusion Pump Security
NIST: Let Passwords Be Longer and Eliminate Character Variation Requirements
Microsoft Manager Posts PowerShell API to Generate Security Bulletins
Apple Releases Updates for iOS, macOS, and Other Products
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Sophos Inc. ********************
Stop Ransomware Before It Takes Your Files Hostage: Ransomware is the number one malware attack affecting organizations today. It encrypts your files and holds them hostage until the ransom is paid, causing massive disruption to business productivity. See how Intercept X, featuring CryptoGuard, prevents malicious spontaneous encryption of data by ransomware. Free Trial: http://www.sans.org/info/194845
***************************************************************************
TRAINING UPDATE
-- SANS San Francisco Summer 2017 | June 5-10 | http://www.sans.org/u/qE8
-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | Build more effective security operations. Two days of in-depth Summit talks, 5 SANS courses, exclusive networking opportunities, & more! http://www.sans.org/u/qof
-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | http://www.sans.org/u/qqA
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | http://www.sans.org/u/qqF
-- SANS London July 2017 | July 3-8 | http://www.sans.org/u/pSD
-- SANS Cyber Defence Singapore | July 10-15 | http://www.sans.org/u/pSI
-- SANSFIRE 2017 | Washington, DC | July 22-29 | http://www.sans.org/u/r4U
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017
-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!
-- SANS Online Training: Special Offer! Register by May 10 and receive a new iPad, Samsung Galaxy Tab A or take $350 off your OnDemand or vLive Course!
-- OnDemand http://www.sans.org/u/pS9
-- vLive http://www.sans.org/u/pSj
-- Multi-week Live SANS training Mentor - http://www.sans.org/u/X9 Contact mentor@sans.org
-- Looking for training in your own community? Community - http://www.sans.org/u/Xo
-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD
Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN
***************************************************************************WANNA CRY NEWS
WannaCry: SANS Resources (May 12 & 16, 2017)
*Recorded Webcast from May 12: WannaCry Ransomeware Threat - What we know so far (Jake Williams) https://www.sans.org/webcasts/special-webcast-wannacry-ransomeware-threat-105160*Webcast: Latest on WannaCry Ransomware (Jake William, Renato Marinho, and Benjamin Wright) https://www.sans.org/webcasts/latest-wannacry-ransomware-105150
*ISC has a great summary with supporting documentation: WannaCry/WannaCrypt Ransomware Summary https://isc.sans.edu/forums/diary/WannaCryWannaCrypt+Ransomware+Summary/22420/
WannaCry: Who Was Affected? How Did It Spread? (May 12, 14, & 15, 2017)
WannaCry ransomware infected computers in at least 150 countries. Victims included a Renault automobile plant in France, FedEx in the US, Germany's national railway, Deutsche Bahn, and the UK's National Health Service. Computers that became infected had not been patched. China was hit particularly hard because of the prevalence of pirated software in that country, most of which is not registered and therefore not updated. Investigators are still trying to determine how the malware spread.[Editor Comments]
[Murray] What is just as important is that those on a current version of Windows 10 were not vulnerable. If we are going to rely on a strategy of late discovery of flaws, it is urgent that everyone stay current. Failure to do so puts one's mission at risk, at best, one's neighbors at risk at worst.
Read more in:
Computerworld: 'Perfect storm' of ransomware and network worm hits unprotected computers globally http://computerworld.com/article/3196119/security/perfect-storm-of-ransomware-and-network-worm-hits-unprotected-computers-globally.html
NYT: China, Addicted to Bootleg Software, Reels From Ransomware Attack https://www.nytimes.com/2017/05/15/business/china-ransomware-wannacry-hacking.html
NYT: Cyberattack Spreads in Asia; Thousands of Groups Affected https://www.nytimes.com/2017/05/15/world/asia/china-cyberattack-hack-ransomware.html
WSJ: Ransomware Hack Exploited Human Error https://www.wsj.com/articles/ransomware-hack-exploited-human-error-1494754201
WSJ: Cybersecurity Experts' First Task: Find Out How Virus Spread https://www.wsj.com/articles/cybersecurity-experts-first-task-find-out-how-virus-spread-1494868250
WannaCry: So Bad, Even XP Gets a Patch (May 13, 2017)
On Friday, May 12, Microsoft issued emergency patches for older, unsupported versions of Windows to fix a vulnerability in Server Message Block (SMB) that is being exploited by the WannaCry ransomware. Microsoft had patches available for Windows XP, Windows 8, and Windows Server 2003, because those platforms are still in custom support. Microsoft released patches for the SMB flaw for supported versions of Windows in March, a month before Shadow Brokers posted the cache of NSA exploit tools.Read more in:
Microsoft: Customer Guidance for WannaCrypt attacks https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
The Register: 74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+ http://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/
Computerworld: Microsoft issues first Windows XP patch in 3 years to stymie 'WannaCrypt' http://computerworld.com/article/3196292/windows-pcs/microsoft-issues-first-windows-xp-patch-in-3-years-to-stymie-wannacrypt.html
KrebsOnSecurity: Microsoft Issues WanaCrypt Patch for Windows 8, XP https://krebsonsecurity.com/2017/05/microsoft-issues-wanacrypt-patch-for-windows-8-xp/
Threatpost: Microsoft Releases XP Patch for WannaCry Ransomware https://threatpost.com/microsoft-releases-xp-patch-for-wannacry-ransomware/125671/
BleepingComputer: Microsoft Releases Patch for Older Windows Versions to Protect Against Wana Decryptor https://www.bleepingcomputer.com/news/security/microsoft-releases-patch-for-older-windows-versions-to-protect-against-wana-decrypt0r/
WannaCry: Microsoft Tells NSA to Stop Hoarding Zero-Days (May 14 & 15, 2017)
In the wake of the WannaCry ransomware infections around the world, Microsoft has criticized the practice of stockpiling zero-day vulnerabilities by governments. Microsoft President and Chief Legal Officer Brad Smith called WannaCry a "wake-up call" for governments. WannaCry employs an exploit called EternalBlue, allegedly crafted by the NSA and posted to the Internet a month ago by Shadow Brokers. EternalBlue exploits a flaw in Windows Server Message Block that affects all unpatched versions of Windows except Windows 10.[Editor Comments]
[Honan] Asking government spy agencies not to use tools to spy with is unreasonable. Maybe the focus should be more on ensuring the systems our businesses, our economies, and our societies rely on are built securely from the start.
Read more in:
Microsoft: The need for urgent collective action to keep people safe online: Lessons from last week's cyberattack https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0000007mx8kgaypf2hxpi5ku113c3
ZDNet: Windows ransomware: WannaCrypt shows why NSA shouldn't stockpile exploits, says Microsoft http://www.zdnet.com/article/windows-ransomware-wannacrypt-shows-why-nsa-shouldnt-stockpile-exploits-says-microsoft/
Cyberscoop: Microsoft slams NSA over WannaCry ransomware https://www.cyberscoop.com/microsoft-wannacry-ransomware-nsa/?category_news=technology
Ars Technica: Two days after WCry worm, Microsoft decries exploit stockpiling by governments https://arstechnica.com/security/2017/05/2-days-after-wcry-worm-microsoft-decries-exploit-stockpiling-by-governments/
WannaCry: Kill Switch (May 12, 13, & 15, 2017)
While analyzing a sample of WannaCry late last week, a researcher in the UK discovered that the malware was querying an unregistered web page. The researcher registered the domain, which had the surprising result of preventing the malware from encrypting files and slowed its spread. Apparently if the malware got no response when it queried the previously unregistered web page, it continued to spread. But if the URL was active, the malware stopped spreading. A variant of the malware without a kill switch domain has now been detected.[Editor Comments]
[Honan] A worrying and upsetting side effect of this work by this security researcher is how mainstream media tracked this person down and exposed his identity to the world, all in the name of news. Effective security researchers often upset criminals which in turn puts the lives of those researchers at risk. Reporters please take time to think through the consequences of your actions.
Read more in:
Ars Technica: How I accidentally stopped a global Wanna Decryptor ransomware attack https://arstechnica.com/information-technology/2017/05/wanna-decryptor-kill-switch-analysis/
Wired: How an Accidental 'Kill Switch' Slowed Friday's Massive Ransomware Attack https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/
The Register: Ransomware scum have already unleashed kill-switch-free WannaCrypt variant http://www.theregister.co.uk/2017/05/15/wannacrypt_variant/
Computerworld: 'Kill switch' helps slow the spread of WannaCry ransomware http://computerworld.com/article/3196686/security/kill-switch-helps-slow-the-spread-of-wannacry-ransomware.html
WannaCry: Malware May Have Ties to North Korea (May 15, 2017)
Some researchers say that the WannaCry ransomware appears to have links to North Korea. An early version of the malware shares some code with a backdoor program used by the Lazarus hacking group, which is believed to have ties to the North Korean government. It is possible that the shared code is a red herring, a planted clue meant to misdirect attribution.Read more in:
Ars Technica: Virulent WCry ransomware worm may have North Korea's fingerprints on it https://arstechnica.com/security/2017/05/virulent-wcry-ransomware-worm-may-have-north-koreas-fingerprints-on-it/
Wired: The WannaCry Ransomware Has a Link to Suspected North Korean Hackers https://www.wired.com/2017/05/wannacry-ransomware-link-suspected-north-korean-hackers/
Cyberscoop: Researchers: WannaCry ransomware shares code with North Korean malware https://www.cyberscoop.com/wannacry-ransomware-north-korea-lazarus-group/?category_news=technology
Reuters: Researchers see possible North Korea link to global cyber attack http://www.reuters.com/article/us-cyber-attack-idUSKCN18B0AC
*************************** SPONSORED LINKS *****************************
1) Don't Miss: The Power of Bro - and why you should include it in your security infrastructure. Register: http://www.sans.org/info/194850
2) Register for "Choosing the Right Path to Application Security" and be among the first to receive access to the associated whitepaper. http://www.sans.org/info/194855
3) Join the SANS Institute for the latest Financial Briefing for the Financial Community in the New York City area. Learn More: http://www.sans.org/info/194860
***************************************************************************
THE REST OF THE WEEK'S NEWS
US Army Plans to Complete Migration to Windows 10 by End of Year (May 5 & 15, 2017)
US Defense Department (DoD) acting chief information office John Zangardi told attendees at the Adobe Digital Government Symposium earlier this month that DoD plans to complete migration to Windows 10 by December 31, 2017. The move has run into some problems due to hardware upgrade and compatibility issues.[Editor Comments]
[Northcutt] It is a huge step, but I am convinced there are more plusses than minuses. One characteristic that has a foot in both camps is the evergreen, (always changing, always updating), nature of the OS. It will make configuration management hard if not impossible, but lots of needed updates will take place:
https://www.defense.gov/News/Article/Article/688721/dod-wide-windows-10-rapid-deployment-to-boost-cybersecurity/
http://iasecontent.disa.mil/stigs/pdf/U_DoD_CIO_Memo_Migration_to_Windows_10_Secure_Host_Baseline.pdf
https://blog.juriba.com/evergreen-it-concept-or-reality
https://www.onmsft.com/news/microsoft-explains-versioning-evergreen-edge-browser
Read more in:
Softpedia: US Army Goes All-In on Windows 10 As WannaCry Infects More High-Profile Targets http://news.softpedia.com/news/us-army-goes-all-in-on-windows-10-as-wannacry-infects-more-high-profile-targets-515708.shtml
FNR: Efficiency and effectiveness, being risk aware part of DoD acting CIO's cyber priorities https://federalnewsradio.com/defense/2017/05/efficiency-and-effectiveness-being-risk-aware-part-of-dod-acting-cios-cyber-priorities/
Securing the Internet of Things (May 8, 2017)
Microsoft is calling for the development of a cybersecurity policy for the Internet of Things (IoT). While "industry can build security into the development of IoT devices and infrastructure, ... the number of IoT devices, the scale of their deployments, the heterogeneity of systems, and the technical challenges of deployment into new scenarios require an approach specific to IoT." In a separate story, Japan's Internal Affairs and Communications Ministry will introduce a certification system for IoT devices that will rate their resilience to cyberattacks.[Editor Comments]
[Murray] Proper labeling must be part of this strategy. Such labels should specify whether or not an appliance is intended for, is sufficiently robust for, direct connection to the public network, or is only intended for connection to private networks. It should specify a "discard by" date. It should specify where, with the vendor or the consumer, the responsibility for misbehavior or misuse and remediation rests.
Read more in:
Dark Reading: Microsoft Calls for IoT Cybersecurity Policy Development http://www.darkreading.com/iot/microsoft-calls-for-iot-cybersecurity-policy-development/d/d-id/1328884?
Microsoft: Cybersecurity Policy for the Internet of Things (PDF) https://mscorpmedia.azureedge.net/mscorpmedia/2017/05/IoT_WhitePaper_5_15_17.pdf
Salt Lake Trib: Japan to rate home devices on cyber-attack vulnerabilities http://www.sltrib.com/home/5265675-155/story.html
Foreign Businesses Seek Delay of Chinese Cyber Law (May 12, 2017)
Business groups from around the world are urging China to delay implementation of a cybersecurity law that would impose strict surveillance and storage security rules on companies doing business in that country. The law is scheduled to take effect on June 1, 2017; the business groups say the law needs more review. The law requires that companies doing business in China undergo security reviews and store data in the country. The law appears to be inconsistent with the country's free trade pledges and with World Trade Organization rules.Read more in:
NYT: Foreign Business Groups Push for Delay in Controversial China Cyber Law https://www.nytimes.com/reuters/2017/05/12/business/12reuters-china-cyber-law.html
Fifth Domain: Trade groups appeal to Beijing to postpone cybersecurity law http://fifthdomain.com/2017/05/15/trade-groups-appeal-to-beijing-to-postpone-cybersecurity-law/
Reuters: Foreign business groups push for delay in controversial China cyber law http://www.reuters.com/article/us-china-cyber-law-idUSKBN188156
NIST Draft Guidance for Infusion Pump Security (May 11, 2017)
The US National Institute of Standards and Technology (NIST) has released draft guidance for medical infusion pump security. NIST's National Cybersecurity Center of Excellence "has developed security guidance... using standards-based, commercially available technologies and industry best practices to help healthcare delivery organizations strengthen the security of the wireless infusion pump ecosystem within healthcare facilities."Read more in:
GovInfoSec: NIST Issues Draft Guidance for Wireless Infusion Pumps http://www.govinfosecurity.com/nist-issues-draft-guidance-for-wireless-infusion-pumps-a-9910
NIST: Securing Wireless Infusion Pumps In Healthcare Delivery Organizations (PDF) https://nccoe.nist.gov/sites/default/files/library/sp1800/hit-infusion-pump-nist-sp1800-8-draft.pdf
NIST: Let Passwords Be Longer and Eliminate Character Variation Requirements (May 12, 2017)
Later this summer, the US National Institute of Standards and Technology (NIST) will release new Digital Identity Guidelines. NIST appears likely to recommend against requiring periodic changes for passwords and instead, employing other measures to make passwords both easier to remember and more difficult to crack. For instance, allowing up to 64 characters could let people use passphrases rather than passwords. And allowing spaces and doing away with character variation requirements would help with memorization. NIST is currently reviewing public comment received on the guidelines.[Editor Comments]
[Murray] Bits are bits, the more of them in a password, the more resistant it is to brute force and dictionary attacks. The user should be free to choose how to add them. Password rules should accommodate, but not require, use of a full character set. However, it should be noted that strong passwords are not a substitute for strong authentication. Strong passwords resist brute force and dictionary attacks that are not a problem; strong authentication resists the replay attacks that are a problem.
Read more in:
Quartz: The US standards office wants to do away with periodic password changes https://qz.com/981941/the-us-standards-office-wants-to-do-away-with-periodic-password-changes/
NIST: Digital Identity Guidelines https://pages.nist.gov/800-63-3/
Microsoft Manager Posts PowerShell API to Generate Security Bulletins (May 12, 2017)
Facing backlash over its switch from security bulletins to a comprehensive database of updates, Microsoft has posted a PowerShell script that spits out a set of bulletins, of sorts, from the information in the database. The script, posted to GitHub by a Microsoft manager, generates "a report summarizing [the Patch Tuesday] #MSRC security bulletins." The script, which uses an API, is available to advanced users who must first obtain a key from the "Developer" tab on the Security TechCenter site.Read more in:
Computerworld: Microsoft posts PowerShell script that spawns pseudo security bulletins http://computerworld.com/article/3196572/microsoft-windows/microsoft-posts-powershell-script-that-spawns-pseudo-security-bulletins.html
Apple Releases Updates for iOS, macOS, and Other Products (May 15, 2017)
Apple has updated its iOS and macOS operating systems. iOS 10.3.2 includes fixes for 23 security issues; macOS 10.12.5 addresses 30 vulnerabilities. Nearly half of the flaws fixes are attributed to Google's Project Zero. Apple also updated Safari to version 10.1.1, and released updates for watchOS, iTunes, iCloud for Windows, and tvOS.Read more in:
ZDNet: Apple fixes dozens of security bugs for iPhones, Macs http://www.zdnet.com/article/apple-fixes-dozens-of-security-bugs-in-ios-10-3-2-macos-updates/
Bleeping Computer: Apple iOS 10.3.2 and other Core OS Security Updates Released https://www.bleepingcomputer.com/news/apple/apple-ios-10-3-2-and-other-core-os-security-updates-released/
Ars Technica: iOS 10.3.2 arrives with nearly two dozen security fixes https://arstechnica.com/apple/2017/05/ios-10-3-2-is-here-focuses-mostly-on-security-fixes/
INTERNET STORM CENTER TECH CORNER
WannaCry Malware Links
Latest updates see https://isc.sans.eduWebcast: https://www.sans.org/webcasts/special-webcast-wannacry-ransomeware-threat-105160
PowerPoint: https://isc.sans.edu/presentations/WannaCry.ppt
Apple Updates Everything
https://support.apple.com/en-us/HT201222OpenVPN Audit Results
https://www.privateinternetaccess.com/blog/2017/05/openvpn-2-4-evaluation-summary-report/Italian Car Insurance Leaks User Driving Data
https://www.andreascarpino.it/posts/how-my-car-insurance-exposed-my-position.html***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
