SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #43
May 30, 2017What are the Coolest Jobs in Cybersecurity? Review the preliminary list, choose the coolest, and offer your thoughts on why those jobs are interesting and how people in those jobs can make a difference, and win a new Amazon Echo Show (the drawing for 4 Shows will take place next Tuesday). http://app.surveymethods.com/EndUser.aspx?FCD8B4ACF8BCA8A8F8
- Alan
TOP OF THE NEWS
An Overview of US's Cyber Adversaries
GCHQ to Company Boards: Take Responsibility for Digital Security
UN North Korea Sanctions Investigation Panel Reports Cyber Attack
Chipotle Offers Additional Information About Breach Following Investigation
THE REST OF THE WEEK'S NEWS
China's New Cyber Law is Vague
IETF Proposes Network Time Protocol Updates
Microsoft Fixes Windows Defender Flaw
British Airways IT Outage Causes Flight Delays and Cancellations
Group Demands FCC Remove Phony Net Neutrality Comments from Website
Google Play Store Purges Bad Apps
Some US Embassies Are Struggling with Digital Security
FTC Finds Criminals Go After Posted Consumer Data Within Minutes
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Splunk **************************
Learn How to Quickly Find Malware Infections With Splunk
Splunk's guided investigation of a real-world ransomware threat will show you how to find evidence of ransomware, perform a deeper investigation and act before damage occurs. Start with a demo video then perform investigations yourself in a live, preconfigured Splunk instance. http://www.sans.org/info/195165
***************************************************************************TRAINING UPDATE
-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | http://www.sans.org/u/qqA
-- Digital Forensics & Incident Response Summit & Training | Austin, TX | June 22-29 | https://www.sans.org/event/digital-forensics-summit-2017
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | http://www.sans.org/u/qqF
-- SANS London July 2017 | July 3-8 | http://www.sans.org/u/pSD
-- SANS Cyber Defence Singapore | July 10-15 | http://www.sans.org/u/pSI
-- SANS ICS & Energy-Houston 2017 | July 10-15, 2017 | https://www.sans.org/event/ics-houston-summit-training-2017
-- SANSFIRE 2017 | Washington, DC | July 22-29 | http://www.sans.org/u/r4U
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017
-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!
-- SANS Online Training: Special Offer! Register by May 10 and receive a new iPad, Samsung Galaxy Tab A or take $350 off your OnDemand or vLive Course!
-- OnDemand http://www.sans.org/u/pS9
-- vLive http://www.sans.org/u/pSj
-- Multi-week Live SANS training Mentor - http://www.sans.org/u/X9 Contact mentor@sans.org
-- Looking for training in your own community? Community - http://www.sans.org/u/Xo
-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD
Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN
***************************************************************************TOP OF THE NEWS
An Overview of US's Cyber Adversaries (May 26, 2017)
This article provides a close look into the motivations and activity of the US's major cyber adversaries: Russia, China, Iran, and North Korea. Each profile addresses the country's primary motive, grand narrative, cyber strategy, cyber capability, cyber operations, and cyber posture.[Editor Comments]
[Stephen Northcutt] Articles of this type, (cyber adversaries), are at least partly conjecture since the North Koreans and others tend to be hard to interview. Here are a few more stories in an effort to add balance:
https://www.usnews.com/news/articles/2016-09-29/cyber-wars-how-the-us-stacks-up-against-its-digital-adversaries
http://www.nextgov.com/cybersecurity/2017/03/shoddy-us-cyber-deterrence-policy-emboldens-adversaries-lawmakers-say/135853/
https://defensesystems.com/articles/2016/02/04/crowdstrike-cyber-report-nation-states.aspx
http://www.pcworld.com/article/237298/top_5_potential_cyber_enemies_for_the_united_states.html
Read more in:
Fifth Domain: Profiles in cyber: Understanding the US's major adversaries in cyberspace http://fifthdomain.com/2017/05/26/profiles-in-cyber-understanding-the-uss-major-adversaries-in-cybersapce/
GCHQ to Company Boards: Take Responsibility for Digital Security (May 25, 2017)
The head of the GCHQ's National Cyber Security Centre (NCSC) is emphatic that business leaders need to take more responsibility for cyber attacks on their systems. Ciaran Martin said that for boards to plead ignorance as a defense is unacceptable. Martin told an audience at telegraph Cyber Security Conference that "business leaders need to stop saying cyber security is too complicated - and stop devolving responsibility."[Editor Comments]
[Pescatore] I can't speak for Europe, but in the US there are not many boards (F5000) in that aren't paying attention to cybersecurity. 75% of CISOs in the US report briefing the BoD regularly. Boards will never be "responsible" for cybersecurity, any more than they are "responsible" for the company's financial performance. Boards have an oversight role, not an operations role. More importantly: boards rightly assume the Chief Financial Officer runs the financial side at least to a "basic financial hygiene" level - the board focuses on strategic financial issues, not financial operations. Most of the issue involved in security programs reaching the basic security hygiene level" can and should be solved at the CISO/CIO/CEO/COO level - the Board of Directors is not the answer to operational problems.
[Murray] Boards of Directors can no more solve the security problems of the enterprise than can the security staff. It is easier to chastise them for lack of responsibility than to tell them what to do. Like security, corporate governance is harder than it looks. The primary responsibility for the protection of assets must rest with the same line management that uses and controls those assets. While Boards do raise capital, they do not even allocate resources. Like staff, they do articulate goals and objectives and they do measure results. They must express the enterprise's tolerance for risk and ensure that management has assigned roles and responsibilities for protecting assets and that they have allocated sufficient resources to the effort.
Read more in:
Telegraph: UK cyber chief says directors are devolving responsibility for hacks http://www.telegraph.co.uk/technology/2017/05/25/uk-cyber-chief-says-directors-devolving-responsibility-hacks/
UN North Korea Sanctions Investigation Panel Reports Cyber Attack (May 22, 2017)
A United Nations (UN) panel of experts who are investigating violations of sanctions on North Korea have told UN officials that it was the target of a "sustained" digital attack conducted by individuals "with very detailed insight" into the panel's work. Several members of the 1718 committee, as the panel is known, were targeted by similar attacks in 2016.Read more in:
Reuters: U.N.'s North Korea sanctions monitors hit by 'sustained' cyber attack http://www.reuters.com/article/us-cyber-un-northkorea-idUSKBN18I2GS
Chipotle Offers Additional Information About Breach Following Investigation (May 26, 2017)
US restaurant chain Chipotle has issued a press release with "further information about the payment card security incident... previously reported on April 25, 2017." Point-of-sale terminals at Chipotle and Pizzeria Locale restaurants were infected with malware that stole magnetic stripe data from payment cards. The breach was active between March 24 and April 18 of this year.[Editor Comments]
[Murray] These breaches will be routine until the retail payment industry stops shipping credit card numbers in the clear on magnetic stripes and accepting them on merchant sites. So far, the brands and issuers have not even announced a plan for doing that, much less a schedule. We need to be cardless, (credit card account) numberless, contactless, and mobile. This is one more security problem that we have the knowledge to solve but where we lack the leadership and will.
[Neely] This was a compromise that involved reading the data off the magnetic stripe on credit cards, providing the needed information for "card not present" transactions. The best mitigation is EMV (chip + PIN/signature ) based readers instead of mag stripe readers. Compare this to two-factor authentication versus a reusable password. While most consumers now carry EMV cards, Merchants have been slow to adopt the readers due to the costs involved in the hardware as well as the needed changes to their POS systems. With the shift in liability merchants are going to quickly find the costs of a breach exceed the deferred costs of implementing new readers.
Read more in:
CNET: Chipotle's latest bug hurts your wallet, not your stomach https://www.cnet.com/news/chipotles-hacked-customer-credit-card-information/
Register: Chipotle: Hackers did to our registers what our burritos did to your colon http://www.theregister.co.uk/2017/05/26/chipotle_pos_malware/
Chipotle: Chipotle Mexican Grill Reports Findings From Investigation of Payment Card Security Incident https://www.chipotle.com/security
*************************** SPONSORED LINKS *****************************
1) Be sure to check out "Fighting Account Takeover - Change The Battle and Win" Register: http://www.sans.org/info/195170
2) Webcast: "Evaluation Criteria for ICS Cyber Security Monitoring with Rockwell Automation and Claroty" Register: http://www.sans.org/info/195175
3) SANS Finance Briefing in NYC: Practical Threat Modeling For Financial Organizations - Free to the Financial Cybersecurity Community. Learn More: http://www.sans.org/info/195180
***************************************************************************
THE REST OF THE WEEK'S NEWS
China's New Cyber Law is Vague (May 29, 2017)
China's new cyber security law is set to take effect on June 1, 2017. The law requires overseas companies doing business in China to undergo security reviews and to store data within the country. The Xinhua news agency wrote, "Those who violate the provisions and infringe on personal information will face hefty fines." But determining which areas will be the focus of enforcement is unclear. The law affects multinational corporations that conduct business in the critical information infrastructure, which is loosely defined to cover any type of business that could potentially harm people's livelihoods. The data covered by the law include personal information and important data, both loosely defined. Among the risks posed to foreign companies doing business in China are that the law could give China the authority to access companies' intellectual property and plumb its cyber security issues. Overseas business groups have been urging China to delay the law's implementation.Read more in:
Forbes: China's Cyber Security Law: The Impossibility Of Compliance? https://www.forbes.com/sites/riskmap/2017/05/29/chinas-cyber-security-law-the-impossibility-of-compliance/#69024400471c
Reuters: China to implement cyber security law from Thursday https://www.reuters.com/article/us-china-cyber-law-idUSKBN18P0G9
IETF Proposes Network Time Protocol Updates (May 24 & 29, 2017)
The Internet Engineering Task Force (IETF) has published a draft document proposing "backward-compatible updates to the Network Time Protocol to strip unnecessary identifying information from client requests and to improve resilience against blind spoofing of unauthenticated server responses."[Editor Comments]
[Ullrich] NTP is an often neglected but critical protocol. Just like DNS, a lot of security decisions depend on accurate times. A lot of security decisions can be affected in subtle and hard to detect ways if an attacker has control over time.
[Murray] Historically "backwards compatibility" has been the enemy of good security. That is why periodically Apple has started with a clean slate. One hopes that an RFC can be drafted that improves the reliability of NTP and which can be implemented in a non-disruptive manner.
Read more in:
The Register: Network Time Protocol updated to spook-harden user comms http://www.theregister.co.uk/2017/05/29/network_time_protocol_updated_to_spookharden_user_comms/
IETF: NTP Client Data Minimization https://tools.ietf.org/html/draft-ietf-ntp-data-minimization-00
Microsoft Fixes Windows Defender Flaw (May 29, 2017)
Microsoft has released a silent fix for a critical vulnerability in Malware Protection Engine. An attacker could create a malicious executable that when processed by the Malware Protection Engine's emulator would allow remote code execution. Microsoft learned of the flaw on May 12 and fixed it on Wednesday, May 24. The issue was patched automatically if users have configured their systems for automatic updates.Read more in:
Softpedia: Microsoft Releases Silent Fix for Windows Defender Remote Code Execution Flaw http://news.softpedia.com/news/microsoft-releases-silent-fix-for-windows-defender-remote-code-execution-flaw-516095.shtml
Threatpost: Microsoft Quietly Patches Another Critical Malware Protection Engine Flaw https://threatpost.com/microsoft-quietly-patches-another-critical-malware-protection-engine-flaw/125951/
Chromium: MsMpEng: Multiple problems handling ntdll!NtControlChannel commands https://bugs.chromium.org/p/project-zero/issues/detail?id=1260
British Airways IT Outage Causes Flight Delays and Cancellations (May 27 & 29, 2017)
A "catastrophic... IT system failure" forced British Airways to cancel all flights leaving from London airports on Saturday, May 27. BA officials said the cause of the outage, which also affected the company's call centre and website, was a power supply issue, not a cyber attack. Flights resumed on May 28, although there have been some cancellations and delays.[Editor Comments]
[Pescatore] Self-inflicted wounds like this one point out that most businesses face many forms of serious risk that aren't related to attacks and which often have as much business impact (or more) than cyber-attacks. It is important for security teams to learn and use the language and metrics used by management in monitoring and mitigating those other major business risks.
[Ullrich] Interesting that last year's large outage at Delta was also caused by a power supply issue.
Read more in:
Reuters: British Airways flights returning to normal after damaging IT collapse https://www.reuters.com/article/us-britain-airports-heathrow-idUSKBN18P01O
BBC: British Airways: Thousands disrupted as flights axed amid IT crash http://www.bbc.com/news/uk-40069865
V3: BA cancels all flights out of Heathrow and Gatwick until 6pm and urges passengers not to turn up https://www.v3.co.uk/v3-uk/news/3010880/ba-cancels-all-flights-out-of-heathrow-and-gatwick-until-6pm-and-urges-passengers-not-to-turn-up
Bleeping Computer: British Airways Cancels All London Flights Following Catastrophic IT Failure https://www.bleepingcomputer.com/news/technology/british-airways-cancels-all-london-flights-following-catastrophic-it-failure/
Group Demands FCC Remove Phony Net Neutrality Comments from Website (May 25 & 26, 2017)
A campaign group called Fight for the Future has written to the US federal Communications Commission, demanding that the agency remove phony comments made in members' names from its website. Hundreds of thousands of comments posted to the FCC site in support of the agency's decision to gut net neutrality appear to have been posted by bots using stolen personal information. The group has also called for an investigation into the incident.[Editor Comments]
[Williams] Rather than focus on the demand to take down the obviously fraudulent comments, it is instructive to observe that the attackers used a freely available API to publish comments. There is no legitimate use for such an API as far as I can tell. While I'm generally for more automation, this has obvious abuses with minimal positive benefit. A simple CAPTCHA would have prevented the attacks (or at least substantially slowed attackers). When building APIs such as the one abused at the FCC, a great first question for organizations to ask is "do we really need this?"
Read more in:
BBC: Net neutrality: 'Dead people' signing FCC consultation http://www.bbc.com/news/technology-40057855
Fight for the Future: Letter to the FCC from people whose names and addresses were used to submit fake comments against net neutrality https://www.fightforthefuture.org/news/2017-05-25-letter-to-the-fcc-from-people-whose-names-and/
Google Play Store Purges Bad Apps (May 25 & 26, 2017)
Google has removed more than 40 apps from the Google Play Store after learning that they contained "rogue code" that caused the apps to open web pages in the background and click on banners. The code was downloaded after the apps were installed. The majority of the removed apps were free games; they had been downloaded 36 million times. Checkpoint discovered the malware, which they have dubbed Judy.[Editor Comments]
[Pescatore] When you look at the numbers (AV Test registers close to 400,000 new pieces of malware each day, 85% aimed at Windows, 3.5% at Android. Google Play contains 2.8M applications, etc.), the risk of malware hitting an Android user running Google Play is still orders of magnitude lower than that for a user on a Windows PC running signature-based AV. That said, Google needs to close the gaping hole that allows apps in Google Play that tested secure to load malicious code during installation.
Read more in:
Forbes: Google Just Killed What Might Be The Biggest Android Ad Fraud Ever https://www.forbes.com/sites/thomasbrewster/2017/05/26/google-shuts-down-massive-ad-fraud-on-play-store/#5f7108c47807
eWeek: Google Expunges Apps Tainted With Ad Fraud Malware From Play Store http://www.eweek.com/security/google-expunges-apps-tainted-with-ad-fraud-malware-from-play-store
Checkpoint: The Judy Malware: Possibly the largest malware campaign found on Google Play http://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/
V3: Android under attack from 'Judy', Google Play Store malware that has infected up to 36.5 million users https://www.v3.co.uk/v3-uk/news/3010863/android-under-attack-from-judy-google-play-store-malware-that-has-infected-up-to-365-million-users
Cyberscoop: Google takes swift action to kill massive ad fraud campaign in Play store https://www.cyberscoop.com/google-ad-fraud-chef-judy/
Some US Embassies Are Struggling with Digital Security (May 26, 2017)
According to a report from the US State Department's Office of Inspector General (OIG), one-third of Information Systems Security Officers at overseas embassies were not performing basic responsibilities, such analyzing systems regularly and monitoring servers, email systems, user libraries, and hard drives for anomalous activity. In some instances, these tasks were not being performed because of other responsibilities; in other cases, supervisors were not ensuring that staff were completing the tasks. The report is based on OIG inspections of overseas embassies between fall FY 2014 and spring FY 2016.Read more in:
Nextgov: U.S. Embassies Lag on Digital Security http://www.nextgov.com/cybersecurity/2017/05/us-embassies-lag-digital-security/138220/?oref=ng-technology-news-all
US State Department: Management Assistance Report: Non-Performance of Information Systems Security Officer Duties by Overseas Personnel (PDF) https://oig.state.gov/system/files/isp-17-24-_mar.pdf
FTC Finds Criminals Go After Posted Consumer Data Within Minutes (May 24 & 26, 2017)
The US Federal Trade Commission (FTC) created a database containing phony consumer information and posted it to two websites where such stolen information is made available. In less than 10 minutes, the database had been accessed, and soon after were trying to use the information to make fraudulent purchases.Read more in:
SC Magazine: FTC finds thieves attempt to use stolen data within 9 min of breach https://www.scmagazine.com/ftc-finds-data-breach-info-exploited-in-under-9-minutes/article/664540/
FTC: How fast will identity thieves use stolen info? https://www.consumer.ftc.gov/blog/how-fast-will-identity-thieves-use-stolen-info
GCHQ to Company Boards: Take Responsibility for Digital Security (May 25, 2017)
The head of the GCHQ's National Cyber Security Centre (NCSC) is emphatic that business leaders need to take more responsibility for cyber attacks on their systems. Ciaran Martin said that for boards to plead ignorance as a defense is unacceptable. Martin told an audience at telegraph Cyber Security Conference that "business leaders need to stop saying cyber security is too complicated - and stop devolving responsibility."[Editor Comments]
[Pescatore] I can't speak for Europe, but in the US there are not many boards (F5000) in that aren't paying attention to cybersecurity. 75% of CISOs in the US report briefing the BoD regularly. Boards will never be "responsible" for cybersecurity, any more than they are "responsible" for the company's financial performance. Boards have an oversight role, not an operations role. More importantly: boards rightly assume the Chief Financial Officer runs the financial side at least to a "basic financial hygiene" level - the board focuses on strategic financial issues, not financial operations. Most of the issue involved in security programs reaching the basic security hygiene level" can and should be solved at the CISO/CIO/CEO/COO level - the Board of Directors is not the answer to operational problems.
[Murray] Boards of Directors can no more solve the security problems of the enterprise than can the security staff. It is easier to chastise them for lack of responsibility than to tell them what to do. Like security, corporate governance is harder than it looks. The primary responsibility for the protection of assets must rest with the same line management that uses and controls those assets. While Boards do raise capital, they do not even allocate resources. Like staff, they do articulate goals and objectives and they do measure results. They must express the enterprise's tolerance for risk and ensure that management has assigned roles and responsibilities for protecting assets and that they have allocated sufficient resources to the effort.
Read more in:
Telegraph: UK cyber chief says directors are devolving responsibility for hacks http://www.telegraph.co.uk/technology/2017/05/25/uk-cyber-chief-says-directors-devolving-responsibility-hacks/
UN North Korea Sanctions Investigation Panel Reports Cyber Attack (May 22, 2017)
A United Nations (UN) panel of experts who are investigating violations of sanctions on North have told UN officials that it was the target of a "sustained" digital attack conducted by individuals "with very detailed insight" into the panel's work. Several members of the 1718 committee, as the panel is known, were targeted by similar attacks in 2016.Read more in:
Reuters: U.N.'s North Korea sanctions monitors hit by 'sustained' cyber attack http://www.reuters.com/article/us-cyber-un-northkorea-idUSKBN18I2GS
INTERNET STORM CENTER TECH CORNER
Analysis of Competing Hypotheses
https://isc.sans.edu/forums/diary/Analysis+of+Competing+Hypotheses+ACH+part+1/22460/Microsoft Master File Table BSOD Exploit
http://www.theregister.co.uk/2017/05/29/microsoft_master_file_table_bug_exploited_to_bsod_windows_7_81/SMTP Split Tunnel / Transparent Proxy Exploit
https://blog.securolytics.io/2017/05/split-tunnel-smtp-exploit-explained/FreeRADIUS Authentication Bypass
https://isc.sans.edu/forums/diary/FreeRadius+Authentication+Bypass/22466***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create