SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #61
July 28, 2017TOP OF THE NEWS
Legislation Aims to Improve IoT Security
GAO Says US Defense Department Needs to Address IoT Security
Will Black Hat 2017 Mark a Sea Change for the Security Community?
THE REST OF THE WEEK'S NEWS
Open Source Software Can Help Secure Voting Process
Estonia to Establish First Data Embassy in Luxembourg
UK Man Detained in Las Vegas After DEF CON Allegedly Created Kronos Malware
Prison Sentence for Role in Ebury Botnet Schemes
Amazon to Suspend Sales of Android Blu Over Spyware Concerns
Chrome Extensions Hacked
Mozilla Introduces Self-Destructing File App
33 States Accepted DHS Election Security Help
INTERNET STORM CENTER TECH CORNER
************************ Sponsored By Unisys ****************************"Protecting the Critical: An innovative approach to defending your Industrial Control Systems" Join this webinar with Mike Assante, SANS Director of Critical Infrastructure, and Unisys ICS industry security experts Chris Blask and Stuart Phillips, to learn how a micro-segmentation security strategy can help you modernize your ICS deployment without compromising security and privacy. http://www.sans.org/info/197195
***************************************************************************TRAINING UPDATE
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017
-- SANS Virginia Beach 2017 | August 21-September 1 | https://www.sans.org/event/virginia-beach-2017
-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017
-- SANS Baltimore 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017
-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017
-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017
-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017
-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017
-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/
TOP OF THE NEWS
Legislation Aims to Improve IoT Security (August 1 & 2, 2017)
US legislators have introduced the Internet of Things Cybersecurity Improvement Act of 2017, which would establish standards for companies that want to sell Internet of Things (IoT) devices to the federal government. Among the requirements: the devices must be capable of being patched; they must not have hard-coded passwords; and the vendors must ensure that the devices do not contain vulnerabilities when they are sold.[Editor Comments]
[Murray] This guidance is well intended but may be overly simplistic. Expensive appliances with a long life (for example, printers, routers, TV displays, or refrigerators) should be "capable of being patched." Some may be the responsibility of the vendor, some the owner, but the responsibility must be clear. However, the capability to "patch" dramatically, and in some cases unnecessarily, increases the attack surface. Patches from vendors should be by means of VPNs secured by asymmetric cryptography, not passwords of any kind. Some cheap devices with a short life (for example, the little buttons given away by Amazon to re-order consumables) should simply be thrown away or replaced. Even sophisticated development shops (which should, just for example, include Adobe and Microsoft) have not demonstrated the ability to "ensure that the devices do not contain vulnerabilities when they are sold." Finally, we should distinguish between the security requirements of devices intended to be connected directly to and addressable on the Internet (e.g., cameras) and those intended only to be attached to private networks (e.g., baby monitors). Would God that all of this guidance be sufficiently complete, simple, or stable to be instantiated in legislation.
[Neely] In January, Forbes estimated spending on IoT technology to reach $267B by 2020, so vendors are prioritizing product delivery over product security to get a piece of the pie. The legislation is designed to protect and encourage bug hunters, establishing a bug hunting, aka bug bounty program. Success with bug bounties requires a lot of preparation along with the bandwidth to accept and patch reported findings which fledgling manufacturers lack. A recurring problem in the IoT space is making sure patches are applied. Device manufacturers need to provide consistent mechanisms for update and notification that support online and air-gapped/isolated devices, or patching will be missed.
[Ullrich] The bill doesn't sound too bad, and I like that it specifically requires the ability to securely patch the device, and requires the vendor to state for how long updates will be provided. But this bill will affect only federal procurement, so the problem of cheap vulnerable consumer devices may remain. Another bill (H. R. 1324), introduced in March, would give the FCC the ability to mandate security standards for all wireless devices requiring FCC certification. But that bill seems to be stuck.
Read more in:
CNET: Congress to smart device makers: Your security sucks https://www.cnet.com/news/congress-senate-iot-device-makers-your-security-sucks/
Dark Reading: Proposed IoT Security Bill Well-Intentioned But Likely Hard To Enforce http://www.darkreading.com/iot/proposed-iot-security-bill-well-intentioned-but-likely-hard-to-enforce/d/d-id/1329521?
eWeek: How the Federal Government Wants to Improve IoT Security http://www.eweek.com/security/how-the-federal-government-wants-to-improve-iot-security
KrebsOnSecurity: New Bill Seeks Basic IoT Security Standards https://krebsonsecurity.com/2017/08/new-bill-seeks-basic-iot-security-standards/
Scribd: Text of the Internet of Things Cybersecurity Improvement Act of 2017 https://www.scribd.com/document/355269230/Internet-of-Things-Cybersecurity-Improvement-Act-of-2017
GAO Says US Defense Department Needs to Address IoT Security (July 27 & 31, 2017)
According to a report from the Government Accountability Office (GAO), the US Department of Defense (DOD) lacks adequate rules to address the security threat posed by Internet of Things (IoT) devices. While DOD has established policies for certain IoT-related security risks, the policies are insufficient for certain devices. GAO recommends that DOD conduct appropriate operations security surveys; and assess current IoT-related policies and identify areas that need attention.[Editor Comments]
[Neely] More and more devices include capabilities such as microphones, cameras, wireless and extra compute capabilities which can enable exfiltration of information. It is becoming increasingly difficult to purchase devices that don't contain these capabilities. Agencies have had to develop mechanisms to identify and physically disable capabilities that are inappropriate for the deployment environment.
[Northcutt] A few things to think about. 1) Don't assume that people automatically know if a device is IoT, (hint, uses electricity and networks somehow, someway). 2) Scan for the devices, because our adversaries will. 3) Be vigilant to detect the devices phoning "home".
http://iotdesign.embedded-computing.com/articles/fundamentals-of-iot-device-management/
Read more in:
FCW: DOD risks 'rogue' apps under current IoT policy https://fcw.com/articles/2017/07/31/gao-iot-rogue-apps.aspx
GAO: Enhanced Assessments and Guidance Are Needed to Address Security Risks in DOD http://www.gao.gov/products/GAO-17-668?source=ra
Will Black Hat 2017 Mark a Sea Change for the Security Community? (August 2, 2017)
This Op-Ed piece focuses on Alex Stamos's keynote speech at Black Hat 2017, observing that "cybersecurity is mainstream and at the core of geopolitics, national security, policy decisions, human rights, and physical safety," and that it's time for the security community to grow up and "care about things that matter."Read more in:
Threatpost: Will the Real Security Community Please Stand Up https://threatpost.com/will-the-real-security-community-please-stand-up/127156
*************************** SPONSORED LINKS *****************************
1) Join Cybereason's Sean Ennis, Senior Systems Engineer as he dissects specific DGA methods currently being used by malware and exploit kits. Register: http://www.sans.org/info/197200
2) Don't Miss: "5.3 Billion Reasons to Keep Up-to-date with BEC" Register: http://www.sans.org/info/197205
3) Learn about Infoblox's unique approach to detecting and preventing data exfiltration. http://www.sans.org/info/197210
****************************************************************************
THE REST OF THE WEEK'S NEWS
Open Source Software Can Help Secure Voting Process (August 3, 2017)
In an effort to improve the security of electronic voting systems, the National Association of Voting Officials is encouraging election officials to use open source software. The author of this piece argues that open source software is more secure than proprietary software.[Editor Comments]
[Ullrich] Software security is important for voting machines. But as much important is transparency. Open source software may not be inherently more secure then closed source software, but it does provide transparency
[Murray] Open Source software has not lived up to the promise that many eyes would result in more secure software. "Many eyes" has become "someone else will do it."
[Pescatore] I definitely agree with the "stop the purchase of insecure systems" but using open source software doesn't automatically equate to avoiding insecure software. All mission critical software and certainly all election software should be tested for vulnerabilities and malicious capabilities before being used. That testing can be via dedicated test labs or through well-managed bug bounty programs (emphasis on "well"), but just making the source code public does not assure that skilled testers look at it - let alone assure that the software was designed with security in mind. Data from a recent Rand Corp. survey on how long zero day vulnerabilities stay undiscovered show no statistical difference between open and closed software.
[Williams] Open source is not automatically more secure for a whole host of reasons, many of which were covered on a recent SANS webcast with Veracode (https://www.sans.org/webcast/recording/citrix/105425/132595). What we need is transparency and audit-ability, something that has been sorely missing in electronic voting systems where manufacturers have hidden behind intellectual property claims for too long.
Read more in:
NYT: To Protect Voting, Use Open-Source Software https://www.nytimes.com/2017/08/03/opinion/open-source-software-hacker-voting.html?_r=0
Estonia to Establish First Data Embassy in Luxembourg (August 3, 2017)
Estonia is about to establish its first data embassy. Estonia began planning the project in 2014. The pilot data embassy in Luxembourg will run copies of Estonia's critical systems in a secure data center. The data embassy will likely become operational in early 2018.[Editor Comments]
[HONAN] - Having backup systems is always a key element of a mature business resilience strategy. However doubling your systems also doubles your potential attack surface so you need to ensure all of your systems are patched, secured, and updated to the same level.
Read more in:
ZDNet: Estonia steps up plan to counter cyber attacks by siting critical systems offshore http://www.zdnet.com/article/estonias-plan-to-put-critical-systems-on-foreign-soil-against-a-crisis-just-took-a-step-forward/
UK Man Detained in Las Vegas After DEF CON Allegedly Created Kronos Malware (August 3, 2017)
Marcus Hutchins, who just months ago figured out the "kill switch" for WannaCry, has been arrested in Las Vegas, Nevada where he had attended DEFCON. Hutchins, who was arrested as he was heading home to the UK, is reportedly being held on the suspicion that he created the Kronos banking malware.[Editor Comments]
[Williams] The indictment notes that the co-conspirator sold the malware on AlphaBay, meaning they may have been arrested as part of the recent investigation. Hutchins was intentionally anonymous until being unmasked by the Daily Mail in May after creating the WannaCry kill switch. Many banking trojans are run by organized crime, making malware research a dangerous game (retribution is a real possibility if your identity is publicly known). Until all the facts are known, this arrest is likely to have a chilling effect on publicly releasing security research that could be considered to have a malicious use. Further, if you consider yourself "safe" from retribution because you only publish anonymously, know that the media are a resourceful bunch and you can find yourself publicly outed quickly.
Read more in:
Wired: Hacker Who Stopped WannaCry Charged for Writing Banking Malware https://www.wired.com/story/wannacry-malwaretech-arrest/
Ars Technica: Slayer of WCry worm charged with creating unrelated banking malware https://arstechnica.com/tech-policy/2017/08/researcher-who-stopped-wcry-worm-detained-under-mysterious-circumstances/
The Register: WannaCry kill-switch hero Marcus Hutchins collared by FBI on way home from DEF CON http://www.theregister.co.uk/2017/08/03/wannacry_killer_hutchins_arrested/
ZDNet: UK researcher who stopped WannaCry outbreak indicted over Kronos malware http://www.zdnet.com/article/researcher-who-stopped-wannacry-outbreak-arrested-in-us/
Ars Technica: Hutchins Indictment (PDF) https://cdn.arstechnica.net/wp-content/uploads/2017/08/Kronos-Indictment.pdf
Mozilla Introduces Self-Destructing File App (August 2, 2017)
Mozilla is testing an app that lets users create files that self-destruct after one download or after 24 hours. Firefox Send can accommodate files up to 1GB. It can be used "in any modern browser," although Firefox users may need to download Firefox 54. It works on Chrome; functionality in Edge is in development, and it works in Safari 11.0, which is currently available to developers. The app's functionality requires that Web Crypto API be implemented in the browser.Read more in:
ZDNet: Firefox's new tool lets you send self-destructing 1GB files from any browser http://www.zdnet.com/article/firefoxs-new-tool-lets-you-send-self-destructing-1gb-files-from-any-browser/
33 States Accepted DHS Election Security Help (August 2, 2017)
The US Department of Homeland Security (DHS) Election has provided cyber security assistance to 33 state election offices and 36 local election offices prior to the November 2016 election. Election systems have been designated as critical infrastructure. DHS is offering cyber hygiene assessments and risk and vulnerability assessments. DHS also shares critical threat information with critical infrastructure operators and owners.Read more in:
The Hill: 33 states accepted DHS aid to secure elections http://thehill.com/policy/cybersecurity/344981-33-states-accepted-dhs-aid-to-secure-elections
INTERNET STORM CENTER TECH CORNER
Detect SMB Versions with nmap
https://isc.sans.edu/forums/diary/Rooting+Out+Hosts+that+Support+Older+Samba+Versions/22672/CopyFish Google Chrome Extension Replaced by Adware
https://a9t9.com/blog/chrome-extension-adware/StartCom Applying to be Included in Mozilla SSL CAs again
https://bugzilla.mozilla.org/show_bug.cgi?id=1311832#c12McAffee Uses Mixed SSL/nonSSL Content For Online Malware Scan
https://blogs.securiteam.com/index.php/archives/3350Netflix Releases DoS Testing Tool
https://medium.com/netflix-techblog/starting-the-avalanche-640e69b14a06Attacking NoSQL Applications
https://isc.sans.edu/forums/diary/Attacking+NoSQL+applications+part+2/22676/Web Developer Chrome Toolbar Replaced with AdWare
https://twitter.com/chrispederickAndroid Banking Trojans
https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/Amazon Stops Selling Blu Smartphones
http://www.zdnet.com/article/amazon-halts-blu-phone-sales-over-potential-security-issue/Raspberry Pi Honeypot
https://github.com/DShield-ISC/dshieldTroy Hunt Releases Password List
https://haveibeenpwned.com/PasswordsTyposquatting npm Packages
http://blog.npmjs.org/post/163723642530/crossenv-malware-on-the-npm-registry***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
