SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #37
May 10, 2016
TOP OF THE NEWS
FTC and FCC Launch Inquiries Into Mobile Device Update IssuesMisconfigured AV Scan Caused Medical Procedure Delay
Firefox 47 Ends Plugins Whitelist
THE REST OF THE WEEK'S NEWS
Legislator Seeks Definition for Act of CyberwarBangladesh Bank Says Cyberheist Caused by Faulty Software Installation
Man Arrested for Breaking Into State Election Website
Twitter Prohibits Dataminr From Selling Analytics to Intelligence Agencies
Virustotal Policy Change
Equifax Website Data Breach Affects Kroger Employees
FBI Told Law Enforcement to Recreate Stingray-Gathered Evidence
Lenovo Fixes Privilege Elevation Flaw in Lenovo Solution Center
Bill Would Elevate CISO Position at US Dept. of Health and Human Services
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER******************* Sponsored By Bracket AlienVault ***********************
Trying to figure out where to start when it comes to Open Source Network Security Tools? Download a free beginner's guide to learn more:
http://www.sans.org/info/185597
***************************************************************************
TRAINING UPDATE
--SANS Baltimore Spring 2016 | Baltimore, MD | May 9-14 | 9 courses in IT security, cyber defense, incident handling, security management, and Windows forensics plus multiple SANS@Night talks.
http://www.sans.org/u/gR7
--SANS Houston 2016 | Houston, TX | May 9-14 | 7 courses including the NEW Network Penetration Testing & Ethical Hacking course.
http://www.sans.org/u/dzE
--SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh
--Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV
--SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
http://www.sans.org/u/gRr
--DFIR Summit & Training | Austin, TX | June 23-30, 2016 DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
http://www.sans.org/u/gBD
--Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!
-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org
--Looking for training in your own community?
Community - http://www.sans.org/u/Xj
--SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy
Plus Prague, Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI
***************************************************************************
TOP OF THE NEWS
FTC and FCC Launch Inquiries Into Mobile Device Update Issues (May 9, 2016)
The US Federal Trade Commission (FTC) and Federal Communications Commission (FCC) have both launched inquiries into the patching of mobile devices. The inquiries are seeking information about how carriers and hardware vendors manage updates and patches. The inquiries were prompted by concerns that updates were not being made available quickly enough.-http://www.zdnet.com/article/apple-google-face-questions-over-lingering-security
-flaws/
-http://www.theregister.co.uk/2016/05/09/fcc_ftc_android_updates/
-http://www.computerworld.com/article/3067703/security/the-fcc-and-ftc-open-inqui
ries-into-smartphone-security-updates.html
[Editor's Note (Pescatore): This is a good example of the telecoms industry not being proactive and "self regulating." The root of the two inquiries is a good one - the carriers got into the business of essentially integrating software from multiple sources onto hardware (smart phones and tablets) and haven't seemed to define industry standard practices for keeping that all secure. Now there are multiple government agency investigation that will require generation of much paperwork and possible regulations that lead to higher levels of paperwork but not necessarily actual higher levels of security. ]
Misconfigured AV Scan Caused Medical Procedure Delay (May 9, 2016)
Improperly configured antivirus software caused a delay during a medical procedure, according to a US Food and Drug Administration (FDA) Adverse Event Report. A malware scan on a device that collects patient vital signs caused the monitor PC to lose communication with the client.-http://www.theregister.co.uk/2016/05/09/malware_scan_stalled_misconfigured_med_s
oftware_midprocedure/
[Editor's Note (Assante): I had to flag this statement: "scan only the potentially vulnerable files on the system, while skipping the medical images and patient data files". Please do tell how these certain files are bullet proof! I suspect it is more likely that the images and patient data files are changing so they are caught by the AV. Folder and file type exclusions have long been necessary in ICS deployments for the same reason. It is why AV solutions are certified by ICS suppliers with approved configurations to be implemented on ICS hosts. (Pescatore): The FDA report points out that the AV function was set up against the instructions, so the root cause of the outage is admin error. The bigger issue: if whitelisting was in place on the device, the risk of operational interference can be moved out of operational windows. (Williams): Medical devices are notoriously sensitive in their implementations. When adding third party software (such as AV or whitelisting software) organizations must test extensively to ensure they won't cause inadvertent outages. Vulnerability scanning is also problematic for these devices. I generally recommend proactive net flow monitoring for life safety devices in lieu of periodic vulnerability scanning. ]
Firefox 47 Ends Plugins Whitelist (May 6, 2016)
In Firefox 47, Mozilla has ended white-listing for plugins, with the exception of Flash. Firefox 47 is currently in beta release and is scheduled to be moved to the stable channel on June 7, 2016. Mozilla plans to end support for Flash with Firefox 53, which is scheduled for release in 2017.-http://www.theregister.co.uk/2016/05/06/firefox_47_beta_flash_not_blacklisted_ye
t/
************************** SPONSORED LINKS ********************************
1) Threat Advisor Free Download: Stop Ransomware Before It Starts: http://www.sans.org/info/185617
2) WEBCAST. May 10 @ 2pm ET. The Verizon Data Breach Investigations Report - A Defender's Perspective. http://www.sans.org/info/185622
3) Save Hundreds! Register Now! Enfuse 2016: Cybersecurity - Digital Investigations - E-Discovery. Use Code SANS2016 http://www.sans.org/info/185627
|***************************************************************************
THE REST OF THE WEEK'S NEWS
Legislator Seeks Definition for Act of Cyberwar (May 9, 2016)
US Senator Mike Rounds (R-South Dakota) has introduced a bill that would require the president to create a policy that defines when a cyberattack is an act of war. After the White House released a cyber deterrence policy late last year, members of the Senate Armed Services Committee said that it came up short.-http://federalnewsradio.com/cybersecurity/2016/05/senator-wants-definition-cyber
-act-war/
[Editor's Note (Pescatore): International agreement on how to define cyber attacks as equaling acts of war are needed but so far in the US these types of legislative initiatives (including this one) have seemed to be purely political - not likely to lead to anything meaningful. ]
Bangladesh Bank Says Cyberheist Caused by Faulty Software Installation (May 9, 2016)
Officials at Bangladesh Central Bank said that the fraudulent transactions that cost the bank US $81 million were due to improperly installed software. They alleged that when the Society for Worldwide Interbank Financial telecommunication (SWIFT) installed real-time gross settlement software in the months before the attack, they introduced the vulnerabilities that the attackers exploited. SWIFT has rejected the allegations.-http://www.darkreading.com/operations/reuters-police-say-swift-techs-made-bangla
desh-bank-more-vulnerable-before-heist/d/d-id/1325447?
-http://www.scmagazine.com/bangaldeshi-banking-officials-blame-81m-bank-heist-on-
incorrectly-installed-software/article/495068/
Man Arrested for Breaking Into State Election Website (May 9, 2016)
A Florida man was arrested after accessing a state election website using an SQL injection attack. David Levin accessed the site without permission from the Lee County, Florida, elections office. Levin faces charges of unauthorized access to a computer, network, or electronic device; he has been released on bond.-http://arstechnica.com/security/2016/05/how-a-security-pros-ill-advised-hack-of-
a-florida-elections-site-backfired/
-http://www.theregister.co.uk/2016/05/09/researcher_arrested_after_reporting_pwna
ge_hole_in_elections_site/
-http://www.zdnet.com/article/security-researcher-arrested-for-reporting-us-elect
ion-website-vulnerabilities/
[Editor's Note (Williams): Although this started innocently enough (checking for a SQL injection vulnerability), Levin undoubtedly crossed the line when he exploited the vulnerability to download voter data from the website. Even when the site is involved in a bug bounty program (this site was not), the line between a reward and a crime is very thinly defined by the bounty program rules. Read and understand those rules before engaging in any testing activity. ]
Twitter Prohibits Dataminr From Selling Analytics to Intelligence Agencies (May 9, 2016)
Twitter has prohibited Dataminr, a company that conducts data analysis on Twitter's entire feed, from allowing US intelligence agencies to access the data. Twitter expressed concern about appearing to have a close relationship with intelligence. Twitter maintains that it has never allowed Dataminr to sell data to government or intelligence agencies for surveillance.-http://www.cnet.com/news/twitter-yanks-dataminr-access-for-us-spy-agencies/
-http://arstechnica.com/tech-policy/2016/05/twitter-tells-us-intel-agencies-to-do
-their-own-data-mining/
-http://www.computerworld.com/article/3067400/internet/twitter-blocks-access-to-a
nalytics-of-its-data-to-us-intelligence-agencies.html
Virustotal Policy Change May 9, 2016
Virustotal, one of the most effective tools in combating malware has announced a policy change. As of now all scanning companies must be part of the Virustotal engine. This eliminates the opportunity to create an anti-virus program without contributing anti-malware analysis to the greater community:-http://www.csmonitor.com/World/Passcode/2016/0509/Google-shakes-up-antivirus-ind
ustry
-http://www.reuters.com/article/us-cybersecurity-sharing-virustotal-anal-idUSKCN0
XY0R4
-http://blog.virustotal.com/2016/05/maintaining-healthy-community.html?spref=tw
(Northcutt): They are also establishing quality standards, new scanners will need to prove a certification and/or independent reviews from security testers according to best practices of Anti-Malware Testing Standards Organization (AMTSO). This will make it much harder to float a reputable sounding adware, scareware, or malware "free" anti-virus solution. (Pescatore): There has been a flood of companies that seemed to be fueling their engines at the Virus Total free malware filling station and doing very little (if any) exploratory drilling/discovery of new malware or techniques. I'd rather see new investment dollars go to new approaches to fighting malware, rather than just to more repackagers of Virustotal data. ]
Equifax Website Data Breach Affects Kroger Employees (May 6, 7, and 9, 2016)
Kroger has notified current and former employees that thieves have stolen information from their W-2 tax forms. The data were stolen from Equifax W-2Express, a website that offers downloadable W-2s for some companies.-http://krebsonsecurity.com/2016/05/crooks-grab-w-2s-from-credit-bureau-equifax/
-http://www.scmagazine.com/kroger-warns-past-present-employees-of-possible-compro
mise-after-equifax-w-2express-breach/article/495023/
-http://www.darkreading.com/vulnerabilities---threats/kroger-hit-by-w-2-data-brea
ch-at-equifax/d/d-id/1325438?
[Editor's Note (Williams): In the wake of breaches of vendors that are expected to have better security, it's a good time to reinforce the need for security assessments of your vendors. Also, we recommend that contract language require immediate notification in the event of a suspected breach. When attackers may be using your vendors as a pivot point into your network, it is imperative that you know of compromises immediately. ]
FBI Told Law Enforcement to Recreate Stingray-Gathered Evidence (May 9, 2016)
According to a document obtained by Oklahoma Watch, a non-profit investigative journalism organization, the FBI told a local law enforcement agency that the technology used in stingrays, or cell-site locators, is so sensitive and controversial that evidence presented at trial needs to be reconstructed another way. In the Wired article, Kim Zetter provides a solid overview of cell-site simulator technology and details ways in which law enforcement has been evasive about their use of the technology.-http://www.zdnet.com/article/fbi-wants-cops-to-recreate-evidence-because-stingra
y-cell-trackers-are-too-secret/
-https://www.wired.com/2016/05/hacker-lexicon-stingrays-spy-tool-government-tried
-failed-hide/
Lenovo Fixes Privilege Elevation Flaw in Lenovo Solution Center (May 6, 2016)
Lenovo has patched a flaw in its Lenovo Solution Center (LSC), a pre-installed application on many Lenovo devices that provides a number of useful functions, including checking firewall status, updating software, and making backups. The flaw could be exploited to execute code and take control of computers. LSC version 3.3.002 fixes the privilege elevation vulnerability.-http://www.computerworld.com/article/3067279/security/lenovo-patches-serious-fla
w-in-pre-installed-support-tool.html
Bill Would Elevate CISO Position at US Dept. of Health and Human Services (May 3, 2016)
Proposed legislation in the US House of Representatives includes a provision that would elevate the position of CISO within the Department of Health and Human Services (HHS). The position would be independent from the office of HHS CIO. The change was prompted by an August 2015 House Energy and Commerce Committee report following a 2013 FDA breach. The report recommended the organizational change to give information security the necessary priority.-http://www.govinfosecurity.com/proposed-legislation-aims-to-elevate-hhs-ciso-rol
e-a-9080
INTERNET STORM CENTER TECH CORNER
A Quick Introduction To Linux Capabilities-https://isc.sans.edu/forums/diary/Guest+Diary+Linux+Capabilities+A+friend+and+fo
e/21031/
Review of TLS Proxy Security Issues
-http://users.encs.concordia.ca/~mmannan/publications/ssl-interception-ndss2016.p
df
Ransomware Claims to Donate Proceeds To Charity
-https://heimdalsecurity.com/blog/security-alert-new-ransomware-donate-earnings-c
harity/
Network Forensics With DShell
-https://isc.sans.edu/forums/diary/Performing+network+forensics+with+Dshell+Part+
1+Basic+usage/21035/
Aruba Vulnerabilities (and Patches)
-http://seclists.org/fulldisclosure/2016/May/19
Allwinner Android Device Debug Backdoor
-http://forum.armbian.com/index.php/topic/1108-security-alert-for-allwinner-sun8i
-h3a83th8/
ImageTragick Flaw Being Exploited
-https://blog.cloudflare.com/inside-imagetragick-the-real-payloads-being-used-to-
hack-websites-2/
Attacking JSON Web Tokens
-https://www.notsosecure.com/crafting-way-json-web-tokens/
ASUS UEFI Red Screen Of Death Workaround
-https://www.asus.com/support/FAQ/1016356/
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/
