Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #4

January 13, 2017

TOP OF THE NEWS

Cyber Attacks Last Month Targeted Elements of Ukraine's Critical Infrastructure
Internet Systems Consortium Issues Fixes for BIND Flaws
FBI Withdrew Cloudflare National Security Letter After Legal Challenge

THE REST OF THE WEEK'S NEWS

Fiat Chrysler is Facing Allegations of Using Engine Management Software That Allows Emissions to Exceed Standards
Two People Arrested in Italy in Connection with Spear-Phishing Campaign
Rep. Ted Lieu Named to House Judiciary Committee
Adobe Issues Fixes for Flash, Reader, and Acrobat
Proposed Legislation in Missouri Would Prohibit Use of Stingrays Without a Warrant
GoDaddy Revokes Improperly Validated SSL Certificates
Juniper SRX Firewall Upgrade Problem Opens Root Account
NIST Seeks Comments on Cybersecurity Framework Update
Senator Seeks Information About DC Metro System's IT Security
Microsoft's January Patch Tuesday


*************************** Sponsored By DomainTools *********************

Threat Intelligence holds great potential for helping network defenders block adversaries who have not yet breached them, and find evidence of those who may have. However, making practical and impactful use of the data can be tricky. It doesnt have to be. Strengthen your security posture without breaking the bank.

Register: http://www.sans.org/info/191357

***************************************************************************

TRAINING UPDATE

--SANS Las Vegas 2017 | Las Vegas, NV | January 23-30, 2017 | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | Anaheim, CA |February 6-11, 2017 | https://www.sans.org/event/anaheim-2017

--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017

--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017

--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017

--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

Cyber Attacks Last Month Targeted Elements of Ukraine's Critical Infrastructure (January 11 & 12, 2017)

A series of cyber attacks against elements of Ukraine's critical infrastructure last month used many of the same tools that were employed in the December 2015 attacks against utilities, resulting in outages that affected 225,000 people. The December 2016 targets included the Pivnichna power transmission facility near Kyiv, the State Administration of Railway Transport, and the Treasury and Pension Fund.


[Editor Comments ]



[Assante ]
The goal of the attack appeared to be limited by design, but it does raise the stakes, as it was conducted at the transmission-level vice contained to their distribution system.

Read more in:

Ars Technica: Hackers trigger yet another power outage in Ukraine
-http://arstechnica.com/security/2017/01/the-new-normal-yet-another-hacker-caused
-power-outage-hits-ukraine/


The Register: Crims shut off Ukraine power in wide-ranging anniversary hacks
-http://www.theregister.co.uk/2017/01/12/ukraine_power_outtage_hack/

Internet Systems Consortium Issues Fixes for BIND Flaws (January 13, 2017)

The Internet Systems Consortium (ISC) has released fixes for a trio of denial-of-service flaws in BIND. All three vulnerabilities affect mainly BIND-based DNS servers running in recursive mode.


[Editor Comments ]



[Pescatore ]
There has been an uptick in Bind vulnerabilities since BIND 10 came out a few years ago; about 70% have been denial of service. Good reminder to make sure your internal or external DNS services are routinely patched.

Read more in:

The Register: ISC squishes BIND packet-of-death bugs
-http://www.theregister.co.uk/2017/01/13/isc_fixes_bind_denialofservice_vuls/

FBI Withdrew Cloudflare National Security Letter After Legal Challenge (January 12, 2017)

When Cloudflare received a National Security Letter (NSL) from the FBI in 2013, the company countered by filing a lawsuit; the FBI withdrew the NSL, which had sought information related to a certain Cloudflare account, though not the content of communications. Despite the withdrawal, Cloudflare was obligated to abide by the gag order that accompanied the NSL, which means that it is only now able to disclose the fact of its existence.

Read more in:

ZDNet: FBI withdrew national security letter after Cloudflare lawsuit
-http://www.zdnet.com/article/fbi-withdrew-national-security-letter-after-cloudfl
are-lawsuit/



*************************** SPONSORED LINKS ********************************

1) Don't Miss: Implementing and Maintaining a DevSecOps Approach in the Cloud - Tips, tricks, operational and security best practices. Register: http://www.sans.org/info/191367

2) SANS 2017 SOC Survey is NOW OPEN - It takes a village to protect today's networks from cyber threats. Tell us how your organization is accomplishing these tasks and enter to win a $400 Amazon gift card! http://www.sans.org/info/191372

3) SANS 2017 Threat Hunting Survey - Is threat hunting proactive, reactive or both? Tell us in this SANS survey: http://www.sans.org/info/191377

******************************************************************************

THE REST OF THE WEEK'S NEWS

Fiat Chrysler is Facing Allegations of Using Engine Management Software That Allows Emissions to Exceed Standards (January 12, 2017)

The U.S. Environmental protection Agency (EPA) and the California Air Resources Board have issued a notice of violation to Fiat Chrysler Automobiles (FCA) that alleges the company failed to disclose the presence of software on some of its diesel vehicles that allowed exhaust emissions that are above the legal limit established by the federal Clean Air Act. FCA maintains its software complies with EPA standards. FCA is also facing trouble in Europe. The European Commission has asked Italy to respond to allegations from Germany's motor vehicle authority that FCA vehicles allowed emissions above established standards there.


[Editor Comments ]



[Pescatore ]
Volkswagen set aside $7.3B (billion) dollars for their emissions software fraud scandal, and estimates say total cost will be several times higher than that. This type of software problem (a company purposely building illegal functions into their software) is not part of the cybersecurity domain, but these events do raise software quality issues to the CEO and Board of Directors level. CISOs should take advantage and look to attach Secure Development Life Cycle and other software security improvement efforts to software quality improvement initiatives.

Read more in:

Wired: Here We Go Again: EPA Accuses Fiat Chrysler of Selling Dirty Diesels
-https://www.wired.com/2017/01/epa-now-accusing-fiat-chrysler-selling-dirty-diese
ls/


Forbes: EPA Makes An Example Of Fiat Chrysler After Missing VW Diesel Cheating Scandal
-http://www.forbes.com/sites/joannmuller/2017/01/12/newly-vigilant-epa-makes-an-e
xample-of-fiat-chrysler-after-missing-vw-diesel-cheating-scandal/#261c419b7e11


Washington Post: EPA accuses Fiat Chrysler of cheating in emissions (video)
-https://www.washingtonpost.com/video/business/technology/fiat-chrysler-accused-o
f-cheating-on-emissions-test-by-epa/2017/01/12/4031bfb0-d8f3-11e6-a0e6-d502d6751
bc8_video.html


Reuters: EU says expects answers from Italy over alleged Fiat emissions cheating
-http://www.reuters.com/article/us-fiatchrysler-emissions-commission-idUSKBN14W2V
C?il=0

Two People Arrested in Italy in Connection with Spear-Phishing Campaign (January 10, 11 & 12, 2017)

Police in Italy have arrested two people in connection with a spear phishing campaign that used the EyePyramid Trojan horse program to attempt to gain access to systems of businesspeople, bankers, several cardinals, and two former prime ministers. The attackers used the malware to steal more than 87 gigabytes of data. Investigations appear to be focusing in the likelihood that the campaign was aimed at gathering information for investment purposes rather than having a political goal. The stolen data were stored on servers un the U.S.; the FBI has seized those servers and will send them to Italy.

Read more in:

Reuters: Italy arrests two for hacking into emails of ECB's Draghi, former Italy PM Renzi
-http://www.reuters.com/article/us-italy-cybercrime-idUSKBN14U1K2?il=0

The Register: Brother-and-sister duo arrested over hacking campaign targeting Italy's bigwigs
-http://www.theregister.co.uk/2017/01/12/eyepyramid/

SC Magazine: Brother-sister team busted for high-level email hacks
-https://www.scmagazine.com/brother-sister-team-busted-for-high-level-email-hacks
/article/631034/


TrendMicro: The Eye of the Storm: A Look at EyePyramid, the Malware Supposedly Used in High-Profile Hacks in Italy
-http://blog.trendmicro.com/trendlabs-security-intelligence/eye-storm-look-eyepyr
amid-malware-supposedly-used-high-profile-hacks-italy/


GitHub: What we know (technically) about EyePyramid
-https://github.com/eyepyramid/eyepyramid

Rep. Ted Lieu Named to House Judiciary Committee (January 11 & 12, 2017)

U.S. Representative Ted Lieu (D-California) has been named to the House Judiciary Committee. Lieu has been an outspoken critic of law enforcement requests for backdoors in encryption products, saying during an April 2015 hearing, "It is clear to me that creating a pathway for encryption only for good guys is technologically stupid - you just can't do that."

Read more in:

Ars Technica: Sole House Dem with computer science degree will "fight like hell" against Trump
-http://arstechnica.com/tech-policy/2017/01/sole-house-dem-with-computer-science-
degree-will-fight-like-hell-against-trump/


West Side Today: Lieu Statement
-http://westsidetoday.com/2017/01/12/la-county-congress-representative-ted-lieu-i
ssues-statement-to-congress/

Adobe Issues Fixes for Flash, Reader, and Acrobat (January 11, 2017)

Adobe has released fixes for vulnerabilities in Flash Player, Reader, and Acrobat. The Flash update addresses 12 remote code execution flaws and one information disclosure flaw. Users should upgrade to Flash Player version 24.0.0.194 for Mac, Windows, and Linux. The Flash Player plugins for Chrome, Edge, and Internet Explorer will be updated through the browsers' update mechanisms. Updates for Reader and Acrobat address 29 flaws, 28 of which could allow arbitrary code execution.


[Editor Comments ]



[Pescatore ]
The earlier item on the latest BIND vulnerabilities reminded me that BIND got dramatically better when BIND 4 and 8 were thrown away and BIND 9 was a total rewrite. Adobe seems to be stuck in a BIND 4/8 world...

Read more in:

Computerworld: Adobe patches critical flaws in Flash Player, Reader and Acrobat
-http://computerworld.com/article/3156744/security/adobe-patches-critical-flaws-i
n-flash-player-reader-and-acrobat.html


KrebsOnSecurity: Adobe, Microsoft Push Critical Security Fixes
-https://krebsonsecurity.com/2017/01/adobe-microsoft-push-critical-security-fixes
-9/

Proposed Legislation in Missouri Would Prohibit Use of Stingrays Without a Warrant (January 11, 2017)

A bill introduced in Missouri's state legislature would prohibit the use of stingrays, also known as cell site simulators, without a warrant except in cases of emergency. The proposed legislation also specifies how the information collected with cell site simulators may be used.

Read more in:

SC Magazine: Missouri bill limits warrantless stingray use
-https://www.scmagazine.com/missouri-bill-hb-403-limits-warrantless-stingray-use/
article/631033/


SC Magazine: HB 403 - Wire Communications (PDF)
-https://media.scmagazine.com/documents/281/hb0403i_70118.pdf

GoDaddy Revokes Improperly Validated SSL Certificates (January 11, 2017)

GoDaddy has revoked nearly 9,000 SSL certificates because they were "issued without a proper domain validation." The problem was caused by a bug introduced during a code change that was supposed to improve the process of issuing certificates. Websites with affected certificates will still have HTTPS encryption, but site visitors might see warnings until a new certificate is in place. GoDaddy is "actively working with
[its ]
customers to reissue their SSL certificates."


[Editor Comments ]



[Pescatore ]
Since SSL is totally useless when server certificates are issued "without a proper domain validation," it would seem that quality control release criteria would have "make sure domains are properly validated before issuing" as the most important Go/NoGo test. This appears to be one of those "under certain conditions" kinds of bugs that generally translates to "not enough testing."

Read more in:

The Register: GoDaddy revokes digital certificates improperly validated due to bug
-http://www.theregister.co.uk/2017/01/11/godaddy_pulls_unvalidated_digital_certs/

GoDaddy: Information about SSL bug
-https://www.godaddy.com/garage/godaddy/information-about-ssl-bug/

Juniper SRX Firewall Upgrade Problem Opens Root Account (January 11, 2017)

Juniper has issued an advisory warning of a problem with a recent upgrade for its SRX firewall that "can leave the system in a state where root CLI login is allowed without a password." The issue affects systems upgraded from Junos OS prior to 12.1X46-D65 using the "request system software" command with the "partition" option. That set of commands will cause the upgrade to fail, which leaves the system in a state where a sysadmin can access it and address the problem.

Read more in:

The Register: Juniper warns: Borked upgrade opens root on firewalls
-http://www.theregister.co.uk/2017/01/11/juniper_warns_borked_upgrade_opens_root_
on_firewalls/


Juniper: Security Bulletin: SRX Series: Upgrades using 'partition' option may allow unauthenticated root login
-https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10753&cat=SIR
T_1&actp=LIST

NIST Seeks Comments on Cybersecurity Framework Update (January 11, 2017)

The U.S. National Institute of Standards and Technology (NIST) has released a new draft of the Framework for Improving Critical Infrastructure Cybersecurity. Comments will be accepted through April 10, 2017.


[Editor Comments ]



[Northcutt ]
In one sense, another framework makes me want to puke. However this organized security framework is the path to better risk management . Why NIST could not read and use the critical security controls is beyond my understanding. But please, especially if you are US government read and respond. I will do the same.

Read more in:

SC Magazine: NIST updates Cybersecurity Framework, seeks comment
-https://www.scmagazine.com/nist-updates-cybersecurity-framework-seeks-comment/ar
ticle/630892/


NIST: Cybersecurity Framework Draft Version 1.1
-https://www.nist.gov/cyberframework/draft-version-11

Senator Seeks Information About DC Metro System's IT Security (January 9 & 11, 2017)

In a letter to the Washington (DC) Metropolitan Area Transit Authority (WMATA), U.S. Senator Mark Warner (D-Virginia) has asked for information regarding the organization's cybersecurity plans, Metro station Wi-Fi implementation, and "the status of efforts to responsibly address first responder interoperability concerns." Regarding cybersecurity, Senator Warner asked about the age of WMATA's IT systems, whether or not it has implemented network segmentation, and whether it has developed a plan to manage ransomware attacks.

Read more in:

GCN: Senator checks on DC Metro IT security
-https://gcn.com/articles/2017/01/11/wmata-it-security-communications.aspx?admgar
ea=TC_SecCybersSec


Scribd: Senator Warner's letter to WMATA
-https://www.scribd.com/document/336106852/WMATA-Cyber-Letter-and-Safety-Update-1
-9-2017

Microsoft's January Patch Tuesday (January 10 & 11, 2017)

Microsoft's first scheduled security update of 2017 comprises fixes for vulnerabilities in Windows, Edge, Office, and Adobe Flash Player. Of the four updates that make up January's release, one is rated critical; the other three are rated important.

Read more in:

SC Magazine: Patch Tuesday: Microsoft issues two critical fixes
-https://www.scmagazine.com/patch-tuesday-microsoft-issues-two-critical-fixes/art
icle/630759/


Computerworld: Microsoft's January patch release is among its smallest ever
-http://computerworld.com/article/3156042/security/microsofts-january-patch-relea
se-is-among-its-smallest-ever.html


V3: Microsoft issues smallest ever Patch Tuesday security release
-http://www.v3.co.uk/v3-uk/news/3002348/microsoft-issues-smallest-ever-patch-tues
day-security-release


Microsoft: Microsoft Security Bulletin Summary for January 2017
-https://technet.microsoft.com/en-us/library/security/ms17-jan


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board