SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #5
January 17, 2017SANS "Best of 2016" awards nomination deadline is Monday Feb. 6. Tell us about the products and services that really worked for you in 2016.
More information: https://www.surveymonkey.com/r/SANSBestof2016
Each person who sends in a nomination or participates in the survey is eligible to win an iPad.
TOP OF THE NEWS
U.S. Senators Reintroduce Energy Grid Protection BillWindows 10 Anniversary Update Protects Machines From Zero-Day Attacks
Microsoft Urges Organizations to Migrate to Windows 10
Microsoft Will Move to Database Instead of Bulletins With February's Update
THE REST OF THE WEEK'S NEWS
Malware Hits UK National Health Service Trust SystemsPhishing Campaign Uses Embedded VBS to Infect Computers
Samsung SmartCam Flaw
College Student Pleads Guilty to Selling Keystroke Logger
Chicago Police Face Civil Lawsuit Over Cell Site Simulator Use
Backdoor or Feature in WhatsApp?
WordPress Update
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*********************** Sponsored By Sophos Inc. ************************
The New XG Firewall: See how Sophos is redefining next-gen with ultimate firewall performance, security and control.
Learn more: http://www.sans.org/info/191502
***************************************************************************
TRAINING UPDATE
--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017
--SANS Southern California - Anaheim 2017 | Anaheim, CA |February 6-11, 2017 | https://www.sans.org/event/anaheim-2017
--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017
--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017
--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017
--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017
--SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017
--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.
--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/
***************************************************************************
TOP OF THE NEWS
U.S. Senators Reintroduce Energy Grid Protection Bill (January 13, 2017)
Two U.S. Senators have introduced the Securing Energy Infrastructure Act, which "would examine solutions to defend the U.S. energy grid using a 'retro' approach that has shown promise as a safeguard against cyber-attacks by replacing key devices like computer-connected operating systems, which can be vulnerable to cyber-attacks, with less-vulnerable analog and human-operated systems."[Editor Comments ]
[Pescatore ]
The language in the bill does not really favor "retro" solutions that would try to make the power industry go backwards. The language would appropriate $11.5M dollars for a 2 year voluntary pilot program to explore "researching, developing, testing, and implementing technology platforms and standards, in partnership with covered entities, to isolate and defend industrial control systems of covered entities from security vulnerabilities and exploits." Increased resistance to cyber-attacks that decreases a system's ability to meet customer demands and react quickly to environmental issues would reduce reliability of any infrastructure, not increase it.
[Murray ]
Whether it is true or not, operators of the grid feel that their inability to respond to changes In load or component failures represent a bigger risk than malicious interference. They would be more supportive of a strategy that relies upon strong authentication and end-to-end encryption to maintain or improve their access to critical controls while hiding them from everyone else.
Read more in:
Homeland Prep News: King, Risch introduce bill to defend potential cyber attacks
-https://homelandprepnews.com/policy/us_policy/20750-king-risch-introduce-bill-de
fend-energy-grid-potential-cyber-attacks/
Daily Energy Insider: Sen. Heinrich cosponsors legislation to protect energy grid from cyber attacks
-https://dailyenergyinsider.com/news/2885-sen-heinrich-cosponsors-legislation-pro
tect-energy-grid-cyber-attacks/
Senate: Risch, King Reintroduce Legislation to Protect Energy Grid from Cyber-Attacks
-http://www.risch.senate.gov/public/index.cfm/2017/1/risch-king-reintroduce-legis
lation-to-protect-energy-grid-from-cyber-attacks
Windows 10 Anniversary Update Protects Machines From Zero-Day Attacks (January 16, 2017)
Researchers from Microsoft's Windows Defender security team testing exploit mitigation features in the Windows 10's Anniversary Update say they would have protected PCs from attacks exploiting two zero-day vulnerabilities. The flaws were patched in Microsoft's November 2016 security update. The researchers tested Windows 10 and Edge's AppContainer sandboxing and stronger validation against flaws that the company patched in November 2016.[Editor Comments ]
[Pescatore ]
What Microsoft calls "Offense Driven Research" and "Data Driven Software Defense" efforts have resulted in measurable increases in the difficulty of exploiting many of the common classes of Windows vulnerabilities. I'd like to see some "false positive" data - do these mitigations built into Windows and Edge increase the chances of a patch breaking a widely used legitimate application? Another powerful step forward would be Microsoft embracing the Apple App Store/Google Play model to be the Windows norm.
[Northcutt ]
Win 10 is certainly an improvement over former MS OS implementations. It is still a trade off of privacy information over features and security. Where the balance point is it is hard to say:
-https://www.wired.com/2015/08/windows-10-security-settings-need-know/
Read more in:
ZDNet: Windows 10 security: 'So good, it can block zero-days without being patched'
-http://www.zdnet.com/article/windows-10-security-so-good-it-can-block-zero-days-
without-being-patched/
Microsoft Urges Organizations to Migrate to Windows 10 (January 16, 2017)
Microsoft is urging Windows 7 users to upgrade to Windows 10. According to Markus Nitschke, head of Windows at Microsoft Germany, Windows 7, which was released in 2009, "does not meet the requirements of modern systems, nor the security requirements of IT departments." Microsoft moved Windows 7 off mainstream support in 2014; security updates will end on January 14, 2020.[Editor Comments ]
[Pescatore ]
While there is no doubt Windows 10 brings security improvements over Windows 7 (as the previous Microsoft item pointed out,) realistically that increase in security is just one factor in the cost/benefit tradeoff of replacing Windows 7 before end of support. A few operational changes (like moving to strong authentication, application control and privilege management) are cost effective ways of extending Windows 7 life while actually reducing the attack aperture, as the Australian Signals Directorate has demonstrated.
[Murray ]
Historically Microsoft has favored backwards compatibility over security. Thus, my Office 2007 applications run fine under Windows 10. Indeed, all COTS software runs well under Windows 10. Windows XP software that cannot easily migrate to Windows 10 is enterprise built software that may not very orderly in the first place. However, in a world of cheap hardware it should not be an issue. I have three XP systems in my living room, mostly for access to their files, but they are servers, not my desktop. If I want to use an application on one of them, I VPN to it but I would not expose that application to the Internet.
Read more in:
Ars Technica: Microsoft tells corps to remember XP, migrate away from Windows 7 sooner than later
-http://arstechnica.com/information-technology/2017/01/microsoft-tells-corps-to-r
emember-xp-migrate-away-from-windows-7-sooner-than-later/
Microsoft Will Move to Database Instead of Bulletins With February's Update (January 13, 2017)
Starting with next month's security update, Microsoft will no longer issue detailed bulletins. Instead, Microsoft will publish information to a searchable database of support documents. The company said that the same information would be available in the database as was offered in the bulletins. The database, known as the Security Updates Guide (SUG), has been available in preview since November 2016. The information can be sorted and filtered by affected software, patch release date, severity, impact, and KB number or CVE identifier. Microsoft has also made changes to its patch rollups for Windows 7 and 8.1.[Editor Comments ]
[Murray ]
However, newly discovered vulnerabilities and patches will no longer be "news."
Read more in:
Computerworld: Microsoft slates end to security bulletins in February
-http://computerworld.com/article/3157832/windows-pcs/microsoft-slates-end-to-sec
urity-bulletins-in-february.html
ZDNet: Microsoft details tweaks to its Windows 7, 8.1 patch rollups
-http://www.zdnet.com/article/microsoft-details-tweaks-to-its-windows-7-8-1-patch
-rollups/
MSRC: Security TechCenter: Security Updates Guide
-https://portal.msrc.microsoft.com/en-us/
*************************** SPONSORED LINKS ********************************
1) Webcast: "Practical Application of Threat Intel for Network Defenders" with Dave Shackleford and Tim Helming. Register: http://www.sans.org/info/191487
2) Don't Miss: Implementing and Maintaining a DevSecOps Approach in the Cloud - Tips, tricks, operational and security best practices. Register: http://www.sans.org/info/191492
3) SANS 2017 SOC Survey is NOW OPEN - It takes a village to protect today's networks from cyber threats. Tell us how your organization is accomplishing these tasks and enter to win a $400 Amazon gift card! http://www.sans.org/info/191497
******************************************************************************
THE REST OF THE WEEK'S NEWS
Malware Hits UK National Health Service Trust Systems (January 13 & 16, 2017)
Barts Health NHS Trust in East London made the decision to take some systems offline after they became infected with a Trojan horse program on Friday, January 13. As of Monday morning, January 16, most systems were back online, although the Trust's filesharing system remains offline for the duration of the investigation. The attack may have taken advantage of the Windows XP systems that the trust runs. Barts is the UK's largest NHS Trust.Read more in:
ZDNet: Trojan malware blamed for cyberattack at Barts Health NHS hospitals
-http://www.zdnet.com/article/trojan-malware-blamed-for-cyberattack-at-barts-ener
ghealth-nhs-hospitals/
V3: UK's largest NHS Trust hit by ransomware attack via ancient Windows XP PCs
-http://www.v3.co.uk/v3-uk/news/3002562/uks-largest-nhs-trust-hit-by-ransomware-a
ttack-via-ancient-windows-xp-pcs
Telegraph: Largest NHS trust hit by cyber attack
-http://www.telegraph.co.uk/news/2017/01/13/largest-nhs-trust-hit-cyber-attack/
Phishing Campaign Uses Embedded VBS to Infect Computers (January 16, 2017)
A narrowly-targeted phishing attack is using VBS to infect machines with keystroke logging software. The attack has been used against a major U.S. financial services provider. The phishing email messages include a Microsoft Word attachment with an embedded object in the form of a Visual Basic Script (VBS).Read more in:
ZDNet: This phishing email uses and unexpected trick to infect PCs with keylogger malware
-http://www.zdnet.com/article/this-phishing-email-uses-an-unexpected-trick-to-inf
ect-pcs-with-keylogger-malware/
Samsung SmartCam Flaw (January 16, 2017)
A critical remote code execution flaw in Samsung SmartCam security cameras could be exploited to gain root control of the devices. When Samsung tried to fix security issues several years ago, the company removed the local web interface but left the local server running on the devices. Attackers could potentially access these servers by pushing custom malware files.[Editor Comments ]
[Murray ]
Huge attack surface to manage for a single application purpose built device. These were early devices and there are not very many of them. I will worry more when we start to have problems with the Amazon Shop Dash Buttons.
Read more in:
Computerworld: Critical flaw lets hackers take control of Samsung SmartCam cameras
-http://computerworld.com/article/3158204/security/critical-flaw-lets-hackers-tak
e-control-of-samsung-smartcam-cameras.html
Softpedia: Samsung's Smartcams Can Be Hacked to Gain Root Access
-http://news.softpedia.com/news/samsung-s-smartcams-can-be-hacked-to-gain-root-ac
cess-511872.shtml
Exploiteers: Re-Hacking The Samsung Smartcam
-https://blog.exploitee.rs/2017/re-hacking-the-samsung-smartcam/
College Student Pleads Guilty to Selling Keystroke Logger (January 14 & 16, 2017)
A computer science undergraduate student at James Madison University in Virginia has pleaded guilty to aiding and abetting computer intrusions. Zachary Shames admitted he sold keystroke logging software. Shames is now facing up to 10 years in prison.[Editor Comments ]
[Williams ]
Based on my calculations, the student made at most about $100k on this keylogger. Hardly worth the jail time. I'm not sure why major media outlets are not covering the amount he likely made (other than it isn't specified in the plea agreement). In any case, this is a powerful warning to those writing (and later attempting to profit from) "educational malware."
Read more in:
The Register: Promising compsci student sold key-logger infects 16,000 machines, pleads guilty, faces jail
-http://www.theregister.co.uk/2017/01/14/students_keylogger_guilty/
CyberScoop: Virginia student pleads guilty to creating and selling keylogger on HackForums
-https://www.cyberscoop.com/hacker-arrest-hackforums-keylogger/?category_news=tec
hnology
Chicago Police Face Civil Lawsuit Over Cell Site Simulator Use (January 13, 2017)
The City of Chicago (Illinois) and several members of the Chicago Police Department are named in a civil lawsuit alleging that the use of cell site simulator technology, sometimes called stingray, without a warrant, violated individuals' civil rights. The case involves the use of the devices to snoop on people at a January 2015 public protest.Read more in:
SC Magazine: Attorney files civil litigation against Chicago for use of stingrays without warrant
-https://www.scmagazine.com/attorney-files-civil-litigation-against-chicago-for-u
se-of-stingrays-without-warrant/article/631615/
Ars Technica: Lawyer sues Chicago police, claims they used stingray on him
-http://arstechnica.com/tech-policy/2017/01/lawyer-sues-chicago-police-claims-the
y-used-stingray-on-him/
Document Cloud: Jerry Boyle v. Chicago et al
-https://www.documentcloud.org/documents/3284733-Jerry-Boyle-v-Chicago-Et-Al.html
Backdoor or Feature in WhatsApp? (January 13, 2017)
On January 13, The Guardian published a story alleging that a vulnerability in the WhasApp encrypted messaging service could allow messages to be intercepted and read. Critics have observed that the issue is not a backdoor, but instead a feature that helps ensure messages are not lost when people change devices or SIM cards.[Editor Comments ]
[Murray ]
Crypto is harder than it looks but stronger than it needs to be for most applications. Do not use device-to-device crypto for life and death applications.
Read more in:
Ars Technica: Reported "backdoor" in WhatsApp is in fact a feature, defenders say
-http://arstechnica.com/security/2017/01/whatsapp-and-friends-take-umbrage-at-rep
ort-its-crypto-is-backdoored/
CNET: WhatsApp again dogged by privacy questions, but there's a fix
-https://www.cnet.com/news/whatsapp-again-dogged-by-privacy-questions-but-theres-
a-fix/
Dark Reading: WhatsApp Denies It Has Backdoor For Decrypting Messages
-http://www.darkreading.com/endpoint/whatsapp-denies-it-has-backdoor-for-decrypti
ng-messages-/d/d-id/1327894?
The Guardian: WhatsApp vulnerability allows snooping on encrypted messages
-https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snoo
ping-on-encrypted-messages
WordPress Update (January 12 & 13, 2017)
An incremental update for WordPress 4.7 fixes 62 bugs and eight security flaws. WordPress 4.7.1 was released on January 11. WordPress 4.1 was released on December 6, 2016. One of the fixes in WordPress 4.7.1 is for an issue in the PHPMailer library.Read more in:
The Register: WordPress plugs eight holes in latest release
-http://www.theregister.co.uk/2017/01/13/wordpress_plugs_eight_holes_in_latest_re
lease/
eWeek: WordPress 4.7.1 Updates for 8 Security Issues
-http://www.eweek.com/security/wordpress-4.7.1-updates-for-8-security-issues.html
WordPress: WordPress 4.7.1 Security and Maintenance Release
-https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-rele
ase/
INTERNET STORM CENTER TECH CORNER
Backup Files Are Good if They are Outside Your Web Servers Document Root-https://isc.sans.edu/forums/diary/Backup+Files+Are+Good+but+Can+Be+Evil/21935/
Exploiting Apache Server Status
-http://blog.mazinahmed.net/2017/01/exploiting-misconfigured-apache-server-status
-instances.html
WhatsApp "Backdoor" Controversy
-https://www.theguardian.com/technology/2017/jan/13/whatsapp-backdoor-allows-snoo
ping-on-encrypted-messages
-https://whispersystems.org/blog/there-is-no-whatsapp-backdoor/
Hardening Windows 10
-https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-ze
ro-day-exploit-mitigations/
Injecting JavaScript Into PDFs
-http://insert-script.blogspot.in/2016/10/pdf-how-to-steal-pdfs-by-injecting.html
Whitelisting File Extensions in Apache
-https://isc.sans.edu/forums/diary/Whitelisting+File+Extensions+in+Apache/21937/
Wordpress 4.7.1 Updates PHPMailer
-https://wordpress.org/news/2017/01/wordpress-4-7-1-security-and-maintenance-rele
ase/
Tricky Phishing Attacks Harvesting Google Passwords
-https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/
More Refined Browser Fingerprinting Via GPU Features
-https://drive.google.com/file/d/0B4s900Byvv1ibW5uc1NiU2g3R3c/view
***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
