SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIX - Issue #56

July 18, 2017

TOP OF THE NEWS

Cybersecurity Spending To Top $1 Trillion During The Next Five Years
The Most In-Demand Cyber Security Jobs
Cyber Insurance Covers Less than 15% of Damages: Lloyds of London Emerging Risk Report on Cyber Insurance
EternalBlue Scanner Finds 50,000 Vulnerable Machines

THE REST OF THE WEEK'S NEWS

FedEx Petya Fallout
UK Hospitals Get Funds for Cybersecurity
IBM Z Mainframe Aims for Pervasive Encryption
US Appeals Court: Gag Orders Do Not Violate First Amendment
Charges Filed in Defense Contractor Breach
Dow Jones Subscriber Data Exposed
UAE Responsible for Qatari Cyber Attacks
Law Enforcement Takes Down Dark Web Marketplace AlphaBay
US Customs and Border Protection Cannot Search Travelers' Cloud Data

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Splunk *******************************

Find Out How You Compare To Your Peers When It Comes To Incident Response.
How does your security operation stand up to today's ever increasing threats? Complete IDC's Security Response Readiness assessment to find out how you stack up against your peers and receive essential guidance from Splunk on what you should be doing to improve. http://www.sans.org/info/196555

***************************************************************************

TRAINING UPDATE

-- SANS OnDemand and vLive Training | Special MacBook Air Offer! Get a MacBook Air, HP ProBook 450 G4 or take $450 off your course until July 26. 30+ courses with books, labs, mp3, & SME support. https://www.sans.org/online-security-training/specials/

-- SANSFIRE 2017 | Washington, DC | July 22-29 | https://www.sans.org/event/sansfire-2017

-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017

-- SANS Security Awareness Summit | Nashville, TN | July 31-August 9 | https://www.sans.org/event/security-awareness-summit-2017

-- SANS Boston 2017 | August 7-12 | https://www.sans.org/event/boston-2017

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast â https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive â https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format âhttps://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about

-- Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

--Cybersecurity Spending To Top $1 Trillion During The Next Five Years (June 20, 2017)

Spending on cybersecurity between 2017 and 2021 will, according to a market research report, exceed $1 trillion. This will involve an increase in growth from 8-10% previously to 13-15% per year going forward.

Read more in:

CSO: Cybersecurity spending outlook: $1 trillion from 2017 to 2021 http://www.csoonline.com/article/3083798/security/cybersecurity-spending-outlook-1-trillion-from-2017-to-2021.html

--The Most In-Demand Cyber Security Jobs (July 17, 2017)

The three areas that companies are looking for most when it comes to cyber security specialists are penetration testers, cybersecurity engineers, and chief information security offices (CISOs). Organizations are also seeking leaders who identify security issues and work to fix them.

[Editor Comments]

[Assante] Important roles no doubt, but this data tells me we are still building walls, looking for holes in those walls, and piles of paper (policies). Walls are necessary but not sufficient, it is beyond time to seek people with security operations technical skills.

Read more in:

Tech Republic: The 3 most in-demand cybersecurity jobs of 2017 http://www.techrepublic.com/article/the-3-most-in-demand-cybersecurity-jobs-of-2017/

--Cyber Insurance Covers Less than 15% of Damages: Lloyds of London Emerging Risk Report on Cyber Insurance (July 10 & 17, 2017)

A report from Lloyds of London, using two realistic examples, shows that "Only around 15 percent of damages would be covered in the cloud example and 7 percent in the vulnerability example." Lloyds says that companies offering cybersecurity insurance should treat worldwide cyber attacks like natural disasters rather than as traditional crimes.

[Editor Comments]

[[Pescatore] Two comments: (1) One of the shortcomings of today's cyber insurance market is the lack of "re-insurance" - the ability for insurers to cede or offload some of their pooled risk to a third party insurer. This raises cost overall but is needed for cyber insurance to be stable and mature enough to become a standard tool used by CFOs. (2) Cybersecurity insurance does NOT bound risk, and will NOT reduce or replace any cybersecurity spending or processes. Lloyd's analysis shows that "Only around 15 percent of damages would be covered in the cloud example and 7 percent in the vulnerability example." Let's put it this way: Basic security hygiene is still required to prevent 85% of damage from a catastrophic cloud attack and 93% of the damage of attacks against unpatched or otherwise vulnerable systems.
[Honan] Lloyds of London report that the estimated worldwide cost to the global economy is US$ 51 Billion (https://www.reuters.com/article/us-cyber-lloyds-report-idUSKBN1A20AB) , which is on a par with the damage caused by Hurricane Sandy This will make insurance companies sit up and take notice and I expect us to see more robust demands being placed on companies seeking cyberinsurance to ensure they have appropriate levels of controls in place. It should also result in our industry benefiting from the experience in risk management from the insurance industry in how we better identify, quantify, and manage risk relating to our systems.

Read more in:

The Hill: Lloyds of London: Insure cyberattacks like natural disasters http://thehill.com/policy/cybersecurity/342311-lloyds-of-london-insure-cyberattacks-like-natural-disasters Lloyds: Counting the cost: A Lloyd's emerging risk report https://www.lloyds.com/news-and-insight/risk-insight/library/technology/countingthecost

--EternalBlue Scanner Finds 50,000 Vulnerable Machines (July 14, 2017)

A scanning tool has found that approximately 50,000 machines remain vulnerable to the EternalBlue exploit, which was used in the WannaCry ransomware and Petya wiper attacks. EternalBlue exploits a vulnerability in the Windows Server Message Block (SMB) protocol.

[Editor Comments]

[Neely] While challenges to replace systems continue, organizations can mitigate some risks by disabling SMBv1 wherever possible as well as monitoring and alerting on the use of SMBv1, coupled with isolation/protection of remaining vulnerable systems until they can be replaced or retired.

Read more in:

Dark Reading: 50,000 Machines Remain Vulnerable to EternalBlue Attacks http://www.darkreading.com/vulnerabilities---threats/50000-machines-remain-vulnerable-to-eternalblue-attacks/d/d-id/1329361? *************************** SPONSORED LINKS ********************************
1) John Pescatore and Skyhigh Networks discuss challenges that IT Security face deploying O365 across enterprises and how they're bridging the Security Gap. http://www.sans.org/info/196560
2) Register to learn why Zero Trust is the world's only true cybersecurity strategy. http://www.sans.org/info/196565
3) See how your efforts to keep the cloud secure for business compare. | Take the SANS Cloud Security Survey | Remain anonymous or enter your name to win a $400 gift certificate. http://www.sans.org/info/196570
******************************************************************************

THE REST OF THE WEEK'S NEWS

--FedEx Petya Fallout (July 17, 2017)

FedEx says that the Petya malware attacks that infected systems at its TNT unit, which operates in the European Union, will have a negative material impact. FedEx said that it may not be able to recover all affected systems. The company did not have cyber insurance.

[Editor Comments]

[Pescatore] The damage was worse than business disruption: FedEx's filing also said "In addition to financial consequences, the cyber-attack may materially impact our disclosure controls and procedures and internal control over financial reporting in future periods." That is likely the major reason for warning of "material impact," as there are no firm financial criteria for defining material impact, but if an event impacts ability to accurately report financial status and regulatory compliance, it is material.

Read more in:

ZDNet: FedEx said TNT Petya attack financial hit will be material, some systems won't come back http://www.zdnet.com/article/fedex-said-tnt-petya-attack-financial-hit-will-be-material-some-systems-wont-come-back/
Reuters: FedEx says cyber attack to hurt full-year results http://www.reuters.com/article/us-cyber-attack-fedex-idUSKBN1A21D7
FedEx: FedEx Files 10-K with Additional Disclosure on Cyber-Attack Affecting TNT Express Systems http://investors.fedex.com/news-and-events/investor-news/news-release-details/2017/FedEx-Files-10-K-with-Additional-Disclosure-on-Cyber-Attack-Affecting-TNT-Express-Systems/default.aspx

--UK Hospitals Get Funds for Cybersecurity (July 12, 2017)

UK health secretary Jeremy Hunt has pledged 21 million GBP (27.5 million USD) to be shared among NHS hospital trauma centres for cybersecurity improvements. The funds were designated for cybersecurity measures following the WannaCry ransomware attacks that hobbled NHS systems, disrupting appointments and operations.

[Editor Comments]

[Paller] The UK found this money quickly after the attacks. A useful rule-of-thumb, validated dozens of times, is that security people have, at most. 90 days to turn a breach into new money. The outrage and interest of top executives dissipates too quickly to get anything useful (even access to the executives) after 90 days.

Read more in:

The Guardian: Hospitals to receive ú21m to increase cybersecurity at major trauma centres https://www.theguardian.com/society/2017/jul/12/hospitals-to-receive-21m-to-increase-cybersecurity-at-major-trauma-centres

--IBM Z Mainframe Aims for Pervasive Encryption (July 17, 2017)

IBM has developed a new mainframe computer capable of powering 12 billion encrypted transactions a day. The IBM Z mainframe is able to encrypt 13 gigabytes of data per second per chip; each mainframe has approximately 24 chips. The increased power and speed would allow organizations to encrypt far more data than they currently can.

[Editor Comments]

[Pescatore] Encryption is the *easy* part, key management and distribution to make sure *decryption* works is the hard part. For cloud-based services, encrypting all storage is a good starting point - if there is basic security hygiene in place to make sure that encryption keys are protected from the bad guys and always available to the good guys. Ransomware attacks get way easier to succeed when they only need to encrypt your keys vs. all your data...
[Neely] Robust key management also needs to be present. The encryption key will be the target of attack rather than the encryption itself. Management and escrow of those keys is critical to ensure data can always be recovered once encrypted.
[Murray] One suggested use case is that financial transaction data be encrypted at all times except when it is being acted upon. The increased capacity will handle the increased number of encrypt and decrypt operations that this would require. This is a mature offering built on IBM's forty years of product experience in encryption and automatic key management tools.
[Northcutt] IBM aims for more than that, they hope the Z will be the primary platform for financial systems. Mainframes, Outsourced cybersecurity, Cognitive computing and blockchain are the bright spots in a company adapting to a changing world.
http://www.serverwatch.com/server-news/ibm-mainframe-revenue-growing-as-overall-systems-revenue-decline.html
http://www.cnbc.com/2017/07/17/ibm-unveils-new-mainframe-capable-of-running-more-than-12-billion-encrypted-transactions-a-day.html
https://www.technologyreview.com/s/607965/a-reality-check-for-ibms-ai-ambitions/

Read more in:

Wired: IBM's Plan to Encrypt Unthinkable Amounts of Sensitive Data https://www.wired.com/story/ibm-z-mainframe-encryption/ ZDNet: IBM launches IBM Z, a revamped mainframe with pervasive data encryption http://www.zdnet.com/article/ibm-launches-ibm-z-a-revamped-mainframe-with-pervasive-data-encryption/ Washington Post: To battle hackers, IBM wants to encrypt the world https://www.washingtonpost.com/news/the-switch/wp/2017/07/17/to-battle-hackers-ibm-wants-to-encrypt-the-world/

--US Appeals Court: Gag Orders Do Not Violate First Amendment (July 17, 2017)

A US federal appeals court has ruled that the gag orders accompanying national security letters (NSLs) do not violate the First Amendment. The ruling comes in a case brought by Cloudflare and Credo Mobile, which between the two companies received five NSLs between 2011 and 2013. Their lawsuit maintained that they had a First Amendment right to notify their customers. In 2013, a district judge initially ruled that the letters were unconstitutional, but later stayed and then reversed her decision after legislators added civil liberties protections.

Read more in:

The Hill: Federal court rejects challenge to national security data requests http://thehill.com/policy/national-security/342356-fed-court-rules-national-security-letters-do-not-violate-first

--Charges Filed in Defense Contractor Breach (July 17, 2017)

The US Department of Justice (DoJ) has unsealed an indictment against two people charged with "a criminal conspiracy relating to computer fraud and abuse, unauthorized access to, and theft of information from, computers, wire fraud, exporting a defense article without a license, and violating sanctions against Iran." Arrest warrants have been issued for both men. They are accused of breaking into an engineering consulting and software design company in Vermont (Arrow Tech) to steal software with the intent to resell it. A third man has already pleaded guilty to charges stemming from the case.

Read more in:

Fifth Domain: Iranian nationals charged with hacking US defense contractor http://fifthdomain.com/2017/07/17/iranian-nationals-charged-with-hacking-us-defense-contractor/ DoJ: Two Iranian Nationals Charged in Hacking of Vermont Software Company https://www.justice.gov/opa/pr/two-iranian-nationals-charged-hacking-vermont-software-company

--Dow Jones Subscriber Data Exposed (July 16, 2017)

A misconfiguration in a cloud computing service exposed personally identifiable information of some Dow Jones subscribers. The incident affects approximately 2.2 million records; the compromised data include names, usernames, physical and email addresses and in come cases, the last four digits of payment card numbers.

Read more in:

WSJ: Dow Jones Inadvertently Exposed Some Customers' Information https://www.wsj.com/articles/dow-jones-inadvertently-exposed-some-customers-information-1500237742

--UAE Responsible for Qatari Cyber Attacks (July 16, 2017)

According to US intelligence officials, the UAE was behind cyber attacks against Qatari government and social media sites in May. The attacks were designed to plant phony quotes that were falsely attributed to Qatar's emir. The phony comments sparked discord between Qatar and its neighbors.

Read more in:

Washington Post: UAE orchestrated hacking of Qatari government sites, sparking regional upheaval, according to U.S. intelligence officials https://www.washingtonpost.com/world/national-security/uae-hacked-qatari-government-sites-sparking-regional-upheaval-according-to-us-intelligence-officials/2017/07/16/00c46e54-698f-11e7-8eb5-cbccc2e7bfbf_story.html

--Law Enforcement Takes Down Dark Web Marketplace AlphaBay (July 13 & 14, 2017)

In a cooperative effort, law enforcement agencies from Canada, the US, and Thailand took down underground contraband online bazaar AlphaBay on July 5. AlphaBay was launched in December 2014. The Silk Road, another underground website that trafficked mainly in illegal drugs, was shut down in October 2013.

Read more in:

Wired: The Biggest Dark Web Takedown Yet Sends Black Markets Reeling https://www.wired.com/story/alphabay-takedown-dark-web-chaos/ WSJ: Illegal-Goods Website AlphaBay Shut Following Law-Enforcement Action https://www.wsj.com/articles/illegal-goods-website-alphabay-shut-following-law-enforcement-action-1499968444 CyberScoop: AlphaBay shut down by law enforcement raids across three countries https://www.cyberscoop.com/alphabay-shut-down-alexandre-cazes-dead-dark-web/

--US Customs and Border Protection Cannot Search Travelers' Cloud Data (July 12 & 13, 2017)

While US Customs and Border Protection (CBP) does have the authority to search travelers' mobile devices without their consent and often without a warrant, that authority does not extend to travelers' data stored in the cloud. The CBP acknowledged the limitation in response to a letter from Senator Ron Wyden (D-Oregon). Their authority is limited to "information that is physically resident on an electronic device transported by an international traveler."

[Editor Comments]

[Murray] This information is reassuring but should not be relied upon by travelers. In a world of ubiquitous high speed connectivity, enterprise and other sensitive data should not be carried across borders on portable devices but accessed as needed using encrypted connections. End users should not rely upon this representation that US Customs and Border Protection officials are not authorized to look beyond the device but should ensure that their devices are not persistently connected to cloud services as they cross any border. (e.g., log off of Google Drive, Dropbox, etc. For iOS and Android devices, delete the apps; both the apps and the connections can be easily recovered as needed.)

[Honan] Given that many cloud services replicate data to devices, for example cloud file storage solutions, this is an issue companies really need to consider when allowing staff to use their own personal devices for accessing corporate data. If your staff use personal cloud services on their computers and/or mobile devices your data could be copied into their personal cloud storage, which in turn could be replicated onto their mobile device. Should any other third parties, be that a border agent or otherwise, access that device they could also access your corporate data.

[Neely] This applies to US CBP, not international customs. If you have data you don't want examined, don't have it on the device to begin with. Remove it as part of your preparation to travel, not at the border control point, and restore it only when you need it again.

Read more in: CNET: US Border Patrol says it won't search travelers' cloud data https://www.cnet.com/news/us-border-patrol-says-it-wont-search-travelers-cloud-data/ NBC News: Border Patrol Says It's Barred From Searching Cloud Data on Phones http://www.nbcnews.com/news/us-news/border-patrol-says-it-s-barred-searching-cloud-data-phones-n782416 MSNBC: Wyden Letter (PDF) http://msnbcmedia.msn.com/i/MSNBC/Sections/NEWS/170712-cpb-wyden-letter.pdf

INTERNET STORM CENTER TECH CORNER

NemucodAES UPS Malspam

https://isc.sans.edu/forums/diary/NemucodAES+and+the+malspam+that+distributes+it/22614/

Analyzing Malicious Office Document With LNK

https://isc.sans.edu/forums/diary/Office+maldoc+lnk/22618/

Gandi Breach Leads to Domain Compromise

https://news.gandi.net/en/2017/07/detailed-incident-report/

iSmart Alarm Vulnerabilities

http://dojo.bullguard.com/blog/burglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities/

SMS Phishing Asks Victims to Upload Picture of Token Card

https://isc.sans.edu/forums/diary/SMS+Phishing+induces+victims+to+photograph+its+own+token+card/22616/

Critical FreeRADIUS Update

https://guidovranken.wordpress.com/2017/07/17/11-remote-vulnerabilities-inc-2x-rce-in-freeradius-packet-parsers/

OS X Malware Installs Crypto Messenger Signal

https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/

---

***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create