SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #45
June 6, 2017TOP OF THE NEWS
Contractor Arrested in Connection with Leaked NSA Report
US Supreme Court Will Hear Mobile Phone Location Data Case
Pandemic CIA Cybertool Infects Computers Through File Servers
THE REST OF THE WEEK'S NEWS
Healthcare Cyber Security Task Force Report
VA Will Adopt Electronic Health Record System Used by Defense Department
EternalBlue Now Being Used to Distribute More Malware
Newest Version of Safari Will Block Autoplay by Default
GAO Report: FDIC Needs to Improve Security Controls
US Department of Health and Human Services OIG Report
ICO Data on Reported Breaches
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Splunk *************************
Learn How to Quickly Analyze Network Events With Splunk. Let us take you step-by-step through a security investigation to understand where and how an attacker entered your network and how to remediate the threat. Start with a demo video then perform the investigations yourself in a live, preconfigured Splunk instance to identify the root cause of the infection. http://www.sans.org/info/195330
***************************************************************************TRAINING UPDATE
-- Digital Forensics & Incident Response Summit & Training | Austin, TX | June 22-29 | https://www.sans.org/event/digital-forensics-summit-2017
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | http://www.sans.org/u/qqF
-- SANS London July 2017 | July 3-8 | http://www.sans.org/u/pSD
-- SANS Cyber Defence Singapore | July 10-15 | http://www.sans.org/u/pSI
-- SANS ICS & Energy-Houston 2017 | July 10-15, 2017 | https://www.sans.org/event/ics-houston-summit-training-2017
-- SANSFIRE 2017 | Washington, DC | July 22-29 | http://www.sans.org/u/r4U
-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017
-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!
-- Multi-week Live SANS training Mentor - http://www.sans.org/u/X9 Contact mentor@sans.org
-- Looking for training in your own community? Community - http://www.sans.org/u/Xo
-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD
Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN
***************************************************************************TOP OF THE NEWS
Contractor Arrested in Connection with Leaked NSA Report (June 5, 2017)
An NSA report leaked to a US media outlet indicates that Russian intelligence agents hacked computers belonging to a voting systems manufacturer just weeks before the November 2016 presidential election. The stolen information is believed to have been used in a spear phishing campaign. A government contractor has been arrested in connection with the leak.[Editor Comments]
[[Northcutt] Here is the famous Intercept URL, (Intercept is the organization the alleged leaker sent the data to):
https://theintercept.com/2017/06/05/top-secret-nsa-report-details-russian-hacking-effort-days-before-2016-election/
Wired magazine reported, "Intercept reporters then shared the report, in some form, with intelligence officials at the Office of the Director of National Intelligence and the NSA prior to publication to discuss redacting any details that might be damaging to national security." If you absolutely must disclose Top Secret information please try to do so in a responsible manner. Note they welcome leaks and are open to topics other than Russian hacking:
https://theintercept.com/leak/
https://theintercept.com/2017/05/27/leaked-documents-reveal-security-firms-counterterrorism-tactics-at-standing-rock-to-defeat-pipeline-insurgencies/
Regarding the Hill article focused on the voting machine manufacturer hack, from time to time experts raise concerns about electronic voting machines:
http://money.cnn.com/2016/08/09/technology/voting-machine-hack-election/index.html
http://www.csmonitor.com/USA/Politics/2016/0901/Do-electronic-voting-machines-put-2016-election-at-risk
The timing of the release is interesting, ex-FBI Director James Comey is scheduled to testify on the topic of Russian interference in the 2016 election this coming Thursday:
http://www.cnn.com/2017/06/05/politics/comey-testimony-trump/
Read more in:
The Hill: Report: Russians hacked US voting systems maker just before election http://thehill.com/policy/cybersecurity/336422-russian-intelligence-hacked-voting-systems-maker-spearphished-its
The Hill: Gov't contractor charged with leaking classified info to media http://thehill.com/homenews/administration/336432-federal-government-contractor-charged-for-leaking-classified-material
Wired: Feds Charge NSA Contractor Accused of Exposing Russian Hacking https://www.wired.com/2017/06/feds-charge-alleged-nsa-leaker-exposed-russian-election-hacking/
US Supreme Court Will Hear Mobile Phone Location Data Case (June 5, 2017)
The US Supreme Court will hear arguments in a case regarding the need for a warrant to use cell-site data to track a suspect's location. The case, Carpenter v. United States, No. 16-402, involves data held by a mobile phone company. The question is whether police are required to obtain a warrant to access mobile phone location histories. Police currently have access to the information without the need for a warrant through the third-party doctrine, which allows police to demand information from companies if the information is considered a normal business record.Read more in:
NYT: Supreme Court Agrees to Hear Cellphone Tracking Case https://www.nytimes.com/2017/06/05/us/politics/supreme-court-cellphone-tracking.html
Ars Technica: Supreme Court agrees to rule if cops need warrant for cell-site data https://arstechnica.com/tech-policy/2017/06/supreme-court-agrees-to-rule-if-cops-need-warrant-for-cell-site-data/
CNET: Supreme Court to hear case on tracking phone location data https://www.cnet.com/news/supreme-court-to-hear-case-on-tracking-phone-location-data/
Pandemic CIA Cybertool Infects Computers Through File Servers (June 1, 2017)
WikiLeaks has published information about a purported CIA cybertool that can infect computers through file servers. Known as Pandemic, the tool can be used to turn Windows file servers into machines that distribute whatever malware the attacker wants to use. When a computer that the tool wants to infect tries to access a file on the server, the computer is served a malicious version of that file.Read more in:
Ars Technica: WikiLeaks says CIA's "Pandemic" turns servers into infectious Patient Zero https://arstechnica.com/security/2017/06/wikileaks-says-cias-pandemic-implant-turns-servers-into-malware-carriers/
BleepingComputer: CIA Malware Can Switch Clean Files With Malware When You Download Them via SMB https://www.bleepingcomputer.com/news/security/cia-malware-can-switch-clean-files-with-malware-when-you-download-them-via-smb/
*************************** SPONSORED LINKS *****************************
1) Don't Miss: "SecOps principles to close gaps in Vulnerability Management" with John Pescatore. Register: http://www.sans.org/info/195335
2) Webcast: "Evaluation Criteria for ICS Cyber Security Monitoring with Rockwell Automation and Claroty" Register: http://www.sans.org/info/195340
3) Be sure to check out "Fighting Account Takeover - Change The Battle and Win" Register: http://www.sans.org/info/195345
***************************************************************************
THE REST OF THE WEEK'S NEWS
Healthcare Cyber Security Task Force Report (June 5, 2017)
The US Department of Health and Human Services Health Care Industry Cybersecurity Task Force has released its first report to US legislators. The report underscores the point that digital vulnerabilities are threats not only to information but also to patients' safety. It calls for the government and private sector healthcare entities to work together on six imperatives that include defining leadership, governance, and expectations for healthcare cybersecurity; increasing the resilience and security of medical devices and IT; and identifying ways to protect research and development and intellectual property from theft.[Editor Comments]
[Pescatore] A solid set of recommendations but a lot of focus on new frameworks, regulations, etc. vs. overcoming obstacles that caused decades of talk about and spending on security and privacy around personal health information and medical equipment with very little actual progress. While the Critical Security Controls were not specifically cited, good to see basic security hygiene concepts sprinkled across the higher priority recommendations.
[Murray] Legislation is difficult; HIPAA is the example. Few laws were better intended; few have had such perverse effects. Health data duplication has increased, much of it still on paper. "Portability" is a joke, privacy and security breaches routine, use of IT sparse, expensive, ineffective and despised by the service providers. After twenty years we still wait patiently for any of its promises to be met. IT "modernization" may be necessary but it will be difficult under the law and far from a solution to all the problems.
Read more in:
The Hill: Federal task force: Here's how to fix healthcare cybersecurity http://thehill.com/policy/cybersecurity/336394-federal-healthcare-cybersecurity-task-force-releases-report
Fifth Domain: HHS Cyber Task Force wants better partnerships, stronger federal leadership http://fifthdomain.com/2017/06/02/hhs-cyber-task-force-wants-better-partnerships-stronger-federal-leadership/
PHE: Health Care Industry Cybersecurity Task Force https://www.phe.gov/Preparedness/planning/CyberTF/Documents/report2017.pdf
VA Will Adopt Electronic Health Record System Used by Defense Department (June 5, 2017)
The US Department of Veterans Affairs is moving from its legacy electronic health record (EHR) system to a commercial, off-the-shelf product that is also used by Defense Department (DoD). The VA will drop its Veterans Information Systems and Technology Architecture (VistA) and switch to the MHS Genesis HER system. The move means that military personnel's EHRs can move with then from DoD to VA once they retire from the military. The VA's system will have additional capabilities so it can interact smoothly with its healthcare partners around the country.[Editor Comments]
[Neely] The VA plan calls for participation from clinicians, read customization, and the 2018 budget calls for a $218M cut to IT spending, which, in combination can cause a project like this to fail. Management of the scope and adequate budget are crucial for success and should be planned before they start. I worry the VA is not considering the migration effort nor the resources required to run in parallel until the cutover completes.
Read more in:
FNR: Shulkin announces new direction for VA electronic health record https://federalnewsradio.com/veterans-affairs/2017/06/shulkin-announces-new-direction-for-va-electronic-health-record/
The Hill: VA to use same electronic health record system as military http://thehill.com/policy/cybersecurity/336392-va-to-use-same-electronic-health-record-system-as-military
EternalBlue Now Being Used to Distribute More Malware (June 5, 2017)
The EternalBlue exploit that was used in the WannaCry ransomware attacks is now being used to distribute the Nitol backdoor and Gh0stRAT malware. The exploit takes advantage of a flaw in the Windows Server Message Block (SMB) networking protocol.Read more in:
ZDNet: Leaked NSA hacking exploit used in WannaCry ransomware is now powering Trojan malware http://www.zdnet.com/article/leaked-nsa-hacking-exploit-used-in-wannacry-ransomware-is-now-powering-trojan-malware/
SC Magazine: EternalBlue, used in WannaCry, now with Nitol backdoor and Gh0st RAT https://www.scmagazine.com/eternalblue-used-in-wannacry-now-with-nitol-backdoor-and-gh0st-rat/article/666426/
Threatpost: EternalBlue Exploit Spreading Gh0st Rat, Nitol https://threatpost.com/eternalblue-exploit-spreading-gh0st-rat-nitol/126052/
FireEye: Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads https://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html
Newest Version of Safari Will Block Autoplay by Default (June 5, 2017)
At its Developers Conference this week, Apple said that the newest version of its safari browser will automatically block autoplay. Another new feature, intelligent tracking prevention, will block websites from tracking users' browser data, which means users will no longer see searches conducted on one site appear as advertisements on another.Read more in:
CNET: Safari will automatically block those annoying autoplay videos https://www.cnet.com/news/wwdc-privacy-high-sierra-safari-blocking/
Recode: WWDC 2017: Everything important Apple announced at its big event https://www.recode.net/2017/6/5/15740882/wwdc-2017-need-to-know-apple-ios-watchos-mac-ipad-siri
GAO Report: FDIC Needs to Improve Security Controls (June 2, 2017)
According to a report from the US Government Accountability Office (GAO), the Federal Deposit Insurance Corporation (FDIC) needs to do more to improve its information security controls. The report also notes that while the FDIC has implemented "numerous information security controls intended to protect its key financial systems," there are still concerns regarding access controls and the isolation of its financial systems from the rest of its network.Read more in:
FCW: FDIC dinged again for inadequate infosec https://fcw.com/articles/2017/06/02/fdic-infosec-gao-gunter.aspx
GAO: FDIC Needs to Improve Controls over Financial Systems and Information http://www.gao.gov/assets/690/684999.pdf
US Department of Health and Human Services OIG Report (June 2, 2017)
The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has submitted its semi-annual report to Congress. Among OIG's findings: HHS "faces challenges to protect the privacy and security of the data it collects and maintains."Read more in:
Nextgov: Health Data Security Tops HHS' List of Challenges http://www.nextgov.com/cybersecurity/2017/06/health-data-security-tops-hhs-list-challenges/138364/?oref=ng-technology-news-all
OIG HHS: Semiannual Report to Congress: October 1, 2016 to March 31, 2017 (PDF) https://oig.hhs.gov/reports-and-publications/archives/semiannual/2017/sar-spring-2017.pdf
ICO Data on Reported Breaches (June 1, 2017)
According to data obtained from the UK's Information Commissioner's Office (ICO), 43 percent of breaches reported between January 2014 and December 2016 affected the healthcare sector. While healthcare had the highest percentage of reported breaches, other sectors are seeing greater increases in the number of breaches reported. Across all sectors, more breaches were caused by human error than by external cyber threats.Read more in:
The Register: Healthcare tops UK data breach chart - but it's not what you're thinking http://www.theregister.co.uk/2017/06/01/data_breach_analysis/
INTERNET STORM CENTER TECH CORNER
Phishing Campaigns for Bitcoin
https://isc.sans.edu/forums/diary/Phishing+Campaigns+Follow+Trends/22482/Mouseover May Trigger Powerpoint Macro
https://www.dodgethissecurity.com/2017/06/02/new-powerpoint-mouseover-based-downloader-analysis-results/Vault 7 "Pandemic" Tool
https://wikileaks.org/vault7/document/Pandemic-1_1-S-NF/Pandemic-1_1-S-NF.pdfMozilla Considering Move Away From OCSP
https://bugzilla.mozilla.org/show_bug.cgi?id=1366100Finding XOR Keys Used To Encode Malware
https://isc.sans.edu/forums/diary/Malware+and+XOR+Part+1/22486/Citywide IMSI Discovery
https://seaglass.cs.washington.eduHijacking Country Level Domains
https://thehackerblog.com/the-journey-to-hijacking-a-countrys-tld-the-hidden-risks-of-domain-extensions/index.html***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
