SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #8
January 27, 2017TOP OF THE NEWS
Destructive Shamoon 2 Hits Saudi Businesses and Government AgenciesLegislation Calls for Car Cybersecurity Standards Study
Gmail to Block JavaScript Attachments
THE REST OF THE WEEK'S NEWS
St. Louis Public Library Recovers From Ransomware Without Paying DemandFirefox Updated to Versions 51
Arrests in Taiwan ATM Theft Scheme
Man Arrested for Allegedly Spoofing eMail, Stealing Money from Kansas County
Trump Still Using Off-the-Shelf Android
US Government is Denied Appeal in Microsoft Case
Microsoft Releases Fix for Mac Remote Desktop App
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By RSA ****************************
Increase Your Impact Without Expanding Your Security Team. Close resource gaps on your security team without adding staff, and improve their ability to detect and respond to threats. The right technology can empower analysts to work more effectively on more complex tasks and enhance the skill set across the team.
Find out how: http://www.sans.org/info/191742
***************************************************************************
TRAINING UPDATE
--SANS Southern California - Anaheim 2017 | Anaheim, CA |February 6-11, 2017 | https://www.sans.org/event/anaheim-2017
--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017
--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017
--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017
--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017
--SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017
--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.
--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/
***************************************************************************
TOP OF THE NEWS
Destructive Shamoon 2 Hits Saudi Businesses and Government Agencies (January 26, 2017)
Malware known as Shamoon 2 has hit Saudi Arabian government offices and private companies. At least 15 organizations have experienced infections. The malware erased computers' hard drives. Shamoon 2 was first spotted in 2012, when it was used to wipe disks on computers at Saudi Aramco. Shamoon 2 is believed to be the work of Iranian state-sponsored attackers.[Editor Comments ]
[Henry ]
I've said this many times before, and I'll say it yet again: Escalation of destructive cyber warfare, especially among nation-states, will spiral out of control and harm many. States must sit down and negotiate this as they do with other types of weapons. Failure to do so will result in catastrophe.
Read more in:
The Register: Disk-nuking malware takes out Saudi Arabian gear; Yeah, wipe that smirk off your face, Iran
-http://www.theregister.co.uk/2017/01/26/shamoon_2_hits_saudi_arabian_targets/
Legislation Calls for Car Cybersecurity Standards Study (January 26, 2017)
Legislation introduced in the U.S. House of Representatives would have the National Highway Traffic Safety Administration (NHTSA) to spearhead a study of cybersecurity standards for cars built or sold in the U.S. The Security and Privacy in Your Car Study Act of 2017 calls for NHTSA to study the issue in cooperation with the Federal Trade Commission (FTC), the National Institute of Standards and Technology (NIST) and other stakeholders.[Editor Comments ]
[Henry ]
The auto industry baking in this necessary security, rather than congress having to legislate would be ideal. Autos are ubiquitous, touch almost all Americans, and failure to implement that security was bound to result in regulation. When the digital world starts to impact the physical world, beyond mere data exfiltration, we'll see more and more congressional involvement.
[Pescatore ]
There is a long history of safety standards for automobiles that have been driven primarily by the insurance industry and the government over the years. Good idea to extend that to how lack of basic security hygiene in vehicle software can impact safety. It's much more important than focusing on privacy.
Read more in:
ThreatPost: Bill Calls for Study of Cybersecurity Standards for Cars
-https://threatpost.com/bill-calls-for-study-of-cybersecurity-standards-for-cars/
123380/
Gmail to Block JavaScript Attachments (January 26, 2017)
Starting next month, Gmail will no longer allow JavaScript attachments. Users will not be allowed to attach .JS files, even if they are included in archives. .JS is joining a long list of banned file extensions that have been used to spread malware.[Editor Comments ]
[Ullrich ]
About time. Even though I am doing quite a bit of development in JavaScript these days, I yet have to receive a legitimate JavaScript attachment, and the vast majority of malicious attachments I receive do use JavaScript as a downloader.
[Williams ]
This is the right thing to do. Two notes: 1. Attackers have long bypassed this by using zip files "encrypted for your safety." 2. Now that Gmail is blocking .js attachments , it's time to ask if your org should be too (the answer is yes).
[Honan ]
Follow the example of Google and block emails with script files attached or embedded in attachments. Relying on anti-virus software alone to defend against malicious software is no longer sufficient.
Read more in:
Computerworld: Gmail will block JavaScript attachments, a common source of malware
-http://computerworld.com/article/3161898/security/gmail-will-block-javascript-at
tachments-a-common-source-of-malware.html
*************************** SPONSORED LINKS ********************************
1) See Why Infoblox is Born to Protect at RSA Booth #S2607. http://www.sans.org/info/191747
2) SANS 2017 Threat Hunting Survey - Is threat hunting proactive, reactive or both? Tell us in this SANS survey and enter to win a $400 Amazon Gift Card: http://www.sans.org/info/191752
3) SANS 2017 SOC Survey is NOW OPEN - It takes a village to protect today's networks from cyber threats. Tell us how your organization is accomplishing these tasks and enter to win a $400 Amazon gift card! http://www.sans.org/info/191757
******************************************************************************
THE REST OF THE WEEK'S NEWS
St. Louis Public Library Recovers From Ransomware Without Paying Demand (January 26, 2017)
The St. Louis (Missouri) Public Library (SLPL) computer system was infected with malware last week. Rather than pay the USD 35,000 ransom demand, the SLPL contacted the FBI and set to work restoring its systems from backups. Studies show that many organizations are unsure how to manage the threat of ransomware; more than half of respondents to at least two surveys said they would be willing to pay the ransom to recover their data, and many said they had already paid ransomware demands.[Editor Comments ]
[Henry ]
Prevention of this type of attack is the ultimate solution. Absent that, a Continuity of Operations Plan (COOP) is necessary for companies against "all-hazards", both natural and man-made. That plan should always include back up and off-site storage of data, which would facilitate and expedite recovery from a ransomware attack.
[Honan ]
Europol, in partnership with other law enforcement agencies and private sector companies, have set up the NoMoreRansom website, www.nomoreransom.org which will publish all known ransomware decryption keys. Should a system become compromised with ransomware the NoMoreRamsom website is a good first stop to determine if the data can be recovered.
[Williams ]
It's great to see that organizations are finally taking ransomware seriously and have a plan. If you have a hard time getting traction on a ransomware defense and recovery plan, get the chief risk officer or legal counsel involved. In my experience, once they understand the risk they'll champion the program for you.
Read more in:
Dark Reading: Most Companies Still Willing to Pay Ransom
-http://www.darkreading.com/attacks-breaches/most-companies-still-willing-to-pay-
ransom-to-recover-data-survey-shows/d/d-id/1327990?
Firefox Updated to Versions 51 (January 25, 2017)
Mozilla has updated Firefox to version 51; the newest release of the browser includes fixes for 24 security issues. It also alerts users when they are entering information in a form or web page that is not SSL/TLS secured. Mozilla has also updated Firefox ERS to version 45.7. Chrome 56, which was rolled out this week, also alerts users to non-HTTPS pages.[Editor Comments ]
[Northcutt ]
I have upgraded and things still seem to be working and Firefox is my default browser. Here is their page on the updates:
-https://www.mozilla.org/en-US/firefox/51.0/releasenotes/
Read more in:
ZDNet: Mozilla Firefox 51 warns you when visiting insecure, data-grabbing website:
-http://www.zdnet.com/article/mozilla-firefox-51-warns-users-when-logging-into-in
secure-http-websites/
SC Magazine: Mozilla issues five critical patches for Firefox and Firefox ESR
-https://www.scmagazine.com/mozilla-issues-five-critical-patches-for-firefox-and-
firefox-esr/article/633852/
eWeek: Firefox 51 Improves Security Notifications for Insecure Forms
-http://www.eweek.com/security/firefox-51-improves-security-notifications-for-ins
ecure-forms.html
The Register: Firefox bares teeth, attacks sites that collect personal data
-http://www.theregister.co.uk/2017/01/25/firefox_attacks_cleartext_sites_that_fai
l_https_check/
Ars Technica: Firefox, Chrome start calling HTTP connections insecure
-https://arstechnica.com/information-technology/2017/01/firefox-chrome-start-call
ing-http-connections-insecure/
Arrests in Taiwan ATM Theft Scheme (January 25, 2017)
Authorities in Taiwan have arrested three people from Eastern Europe in connection with an ATM theft scheme that netted the thieves USD 2.6 million. The group allegedly broke into more than 40 First Commercial Bank machines in three different cities in July 2016. The bank temporarily froze withdrawals from more than 1,000 cash machines in Taiwan. Nineteen other people are suspected of being involved as well.Read more in:
SC Magazine: Three men convicted of ATM hacking in Taiwan, another 19 at large
-https://www.scmagazineuk.com/three-men-convicted-of-atm-hacking-in-taiwan-anothe
r-19-at-large/article/633681/
Man Arrested for Allegedly Spoofing eMail, Stealing Money from Kansas County (January 25, 2017)
A Georgia (U.S.) man was arrested for allegedly spoofing the email of the CEO of a Kansas company and tricking Sedgwick County (Kansas) employees into transferring USD 566,000 into his corporate bank account. George James has been charged with wire fraud for misdirecting the transfer of funds that were intended to be paid to a Kansas company for roadwork.[Editor Comments ]
[Williams ]
Use some out of band (usually telephonic) communication to verify wire payment requests and destinations. Don't let the person call you, call them back from a number you obtain out of band (from their website for instance).
[Honan ]
CEO fraud is one of the more prevalent issues we are seeing affecting clients. While this is predominantly a process and human interaction threat, there is a lot that can be done to enhance the security of our email systems to minimise the threat. The EU CERT have publish a white paper called DMARC - Defeating Email Abuse
-http://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU%20SWP-17_001_v1_2
_DMARC.pdf
and Barclays Bank have a very good video to raise awareness of this amongst business people
-https://youtu.be/HLiy_nQLJP0
Read more in:
SC Magazine: Cybercrime Blotter: Man arrested for spoofing CEO's email, stealing $566,000 from Kansas county
-https://www.scmagazine.com/cybercrime-blotter-man-arrested-for-spoofing-ceos-ema
il-stealing-566000-from-kansas-county/article/633821/
U.S. Attorney: Georgia Man Charged with Cyber Crime That Cost Sedgwick County $566,000
-https://www.justice.gov/usao-ks/pr/georgia-man-charged-cyber-crime-cost-sedgwick
-county-566000
Trump Still Using Off-the-Shelf Android (January 25, 2017)
Donald Trump is still using an unsecured Android phone for some of his communications-mostly posts on Twitter. In addition, some White House staffers still have private email accounts on a private, Republican National Committee (RNC) email server.Read more in:
New York Times: That Old Phone Trump Uses for Twitter Could Be an Opening to Security Threats
-https://www.nytimes.com/2017/01/25/technology/donald-trump-phone-social-media-se
curity.html?_r=0
Wired: Trump's Still Using His Old Android Phone; That's Very, Very Risky
-https://www.wired.com/2017/01/trump-android-phone-security-threat/
The Register: President Trump tweets from insecure Android, security boffins roll eyes
-http://www.theregister.co.uk/2017/01/26/trump_insecure_android_twitter/
SC Magazine: Trump staffers use private email server, president still favors unsecured Android
-https://www.scmagazine.com/trump-staffers-use-private-email-server-president-sti
ll-favors-unsecured-android/article/633858/
Newsweek: Trump White House Senior Staff Have Private RNC eMail Accounts
-http://www.newsweek.com/trump-emails-rnc-reince-priebus-white-house-server-54819
1
US Government is Denied Appeal in Microsoft Case (January 24, 2017)
An appeals court has denied the U.S. government's request to reconsider a decision that it cannot demand that Microsoft turn over customer data stored outside the country. In a 4-4 decision, the U.S. Court of Appeals for the Second Circuit declined to rehear the case. While the court acknowledged "the gravity of this concern," the Stored Communications Act does not allow international searches under a U.S. warrant.[Editor Comments ]
[Honan ]
It should be remembered that this case does not apply to other US legislation which impacts on the privacy of non-US citizens such as FISA and the Patriot Act. All the more reason we need to ensure agreements such as Privacy Shield are robust enough to protect the privacy and rights of all, however this unfortunately does not seem to be the case.
Read more in:
Computerworld: Court denies U.S. government appeal in Microsoft overseas email case
-http://computerworld.com/article/3161165/security/court-denies-us-government-app
eal-in-microsoft-overseas-email-case.html
Microsoft Releases Fix for Mac Remote Desktop App (January 24, 2017)
On January 17, Microsoft released a fix for a vulnerability in its Mac Remote Desktop app that could be exploited to execute arbitrary code. The code execution flaw affects the Microsoft Remote Desktop client for Mac versions 8.0.36 and earlier. The issue lies in the way the app handles rdp urls. Users are urged to upgrade to version 8.0.37.Read more in:
The Register: Microsoft fixes remote desktop app Mac hole
-http://www.theregister.co.uk/2017/01/24/microsoft_fixes_remote_desktop_app_mac_h
ack/
Softpedia: Microsoft Fixes Security Flaw Making Apple Users Vulnerable to Hackers
-http://news.softpedia.com/news/microsoft-fixes-security-flaw-making-apple-users-
vulnerable-to-hackers-512150.shtml
Microsoft: Microsoft Remote Desktop
-https://itunes.apple.com/au/app/microsoft-remote-desktop/id715768417?mt=12
INTERNET STORM CENTER TECH CORNER
Cisco Releases Patch for Chrome Webex Plugin-https://continuum.cisco.com/2017/01/23/its-a-good-idea-to-patch-your-webex-chrom
e-extension-now/
Companies Fall for Fake Ransomware
-https://www.citrix.com/blogs/2017/01/24/bluff-ransomware-attacks-bamboozle-briti
sh-businesses/
systemd privilege escalation vulnerability
-http://www.openwall.com/lists/oss-security/2017/01/24/4
nginx update released
-http://nginx.org/en/CHANGES
Cisco WebEx Remains Vulnerable. Other Browsers Affected
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
0170124-webex
Malicious SVG Files Fund in the Wild
-https://isc.sans.edu/forums/diary/Malicious+SVG+Files+in+the+Wild/21971/
W2 Scams Hitting Again
-http://www.nbcdfw.com/news/local/Argyle-ISD-Employees-Hit-with-Data-Breach-41133
7825.html
XXE Entity Vulnerability in Uber
-https://httpsonly.blogspot.co.ke/2017/01/0day-writeup-xxe-in-ubercom.html?m=1
Firefox 51 Released
-https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-se
cure-http/
IOCs: Risks of False Positive Floods
-https://isc.sans.edu/forums/diary/IOCs+Risks+of+False+Positive+Alerts+Flood+Ahea
d/21977/
Android Ransomware in Google Play Store
-http://blog.checkpoint.com/2017/01/24/charger-malware/
OpenSSL Update
-https://www.openssl.org/news/vulnerabilities.html#y2017
Facebook To Implement U2F (FIDO) Login
-https://www.facebook.com/notes/facebook-security/security-key-for-safer-logins-w
ith-a-touch/10154125089265766
WebEx Update
-https://bugs.chromium.org/p/project-zero/issues/detail?id=1100
***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board