SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #55
July 12, 2016
With Friday's release of the movie Zero Days, more people may be asking questions about Stuxnet. If you are one of the people likely to be asked, you'll want to read Kim Zetter's extraordinarily well-researched and well-written "Countdown to Zero Day." It has details about what actually happened that will enable you to answer questions with confidence.
https://www.amazon.com/Countdown-Zero-Day-Stuxnet-Digital/dp/077043617X/ref=tmm_
hrd_swatch_0?_encoding=UTF8&qid=&sr=
TOP OF THE NEWS
EU Governments Approve Privacy ShieldSWIFT Hires Outside Cybersecurity Help
THE REST OF THE WEEK'S NEWS
GenCyber CampsLurk Takedown Linked to Angler Disappearance
Omni Hotels Acknowledges Breach
Remote Code Execution Flaw in Xiaomi Phones
Update Available for WordPress Plug-in
IG Audit Report: FDIC Needs to Improve Incident Detection and Reporting
Facebook Testing Encryption for Messenger
FAA Reauthorization Bill Includes Cybersecurity Requirement
1,025 Wendy's Restaurants Hit By POS Malware
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*********************** Sponsored By AlienVault **************************
Learn the pros/cons of the various open source intrusion detection tools available to you. Download your copy of the Beginner's Guide to Open Source IDS Tools.
Get it now! www.sans.org/info/187195
***************************************************************************
TRAINING UPDATE
--SANS London Summer 2016| London, UK | July 9-16 | https://www.sans.org/event/london-in-the-summer-2016
--SANS Rocky Mountain | Denver, CO | July 11-16 | https://www.sans.org/event/rocky-mountain-2016
--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | https://www.sans.org/event/minneapolis-2016
--SANS San Antonio | San Antonio, TX | July 18-23 | https://www.sans.org/event/san-antonio-2016
--Industrial Control Systems Security Training | Houston, TX | July 25-30 | https://www.sans.org/event/ics-houston-summit-training-2016
--SANS Boston 2016 | Boston, MA | August 1-6 | https://www.sans.org/event/boston-2016
--SANS Vienna | Vienna, Austria | August 1-6 | https://www.sans.org/event/vienna-2016
--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | https://www.sans.org/event/security-awareness-summit-2016
--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016
--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016
--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016
***************************************************************************
TOP OF THE NEWS
EU Governments Approve Privacy Shield (July 8, 9, and 11, 2016)
The European Union's 28 member states have approved Privacy Shield, the EU-US data transfer agreement crafted to replace Safe harbor, which the EU high court struck down last autumn. Once the European Commission approves Privacy Shield, the agreement will take effect. European privacy groups are likely to challenge the agreement in court because they believe it does not go far enough to protect EU citizens' privacy.[Editor Comments ]
(Honan): This issue is far from dead and this agreement will be challenged in the European Court of Justice where its adequacy will be determined. As Viviane Reding, the
-https://en.wikipedia.org/wiki/European_Commissioner_for_Justice,_Fundamental_Rig
hts_and_Citizenship,
said in her press release "While doubts persist concerning the access of American public authorities to transferred data, let's turn this Privacy Shield into a living agreement that can be reinforced where and when necessary, to finally end mass-surveillance!"
-http://www.eppgroup.eu/press-release/Trans-Atlantic-Data-Flows%3A-Let%E2%80%99s-
turn-words-into-deeds
(Murray): The fun has just begun. The key to the agreement is the Judicial Redress Act, signed by President Obama. Readers may remember that the Safe Harbor Agreement was ruled inadequate because it did not provide the EU citizen with redress similar to that which he enjoyed under EU law. The Judicial Redress Act extends the right of redress enjoyed by US citizens under the Privacy Act, to EU citizens. These rights are enforceable only against the government, but do not apply to telecoms, ISPs, search companies, banks, or merchants.
Read more in:
The Hill: Week ahead: EU set to finalize new data pact
-http://thehill.com/policy/cybersecurity/287067-week-ahead-eu-set-to-finalize-new
-data-pact
eWeek: European Member States Approve Privacy Shield Agreement
-http://www.eweek.com/security/european-member-states-approve-privacy-shield-agre
ement.html
BBC: Privacy Shield data pact gets European approval
-http://www.bbc.com/news/technology-36744928
SC Magazine: Privacy Shield gets nod from EU, ripe for judicial challenge
-http://www.scmagazine.com/privacy-shield-gets-nod-from-eu-ripe-for-judicial-chal
lenge/article/508720/
SWIFT Hires Outside Cybersecurity Help (July 11, 2016)
Following the disclosure of a string of thefts involving its financial transaction communication system, SWIFT has hired two outside cybersecurity companies to help SWIFT customers bolster their cybersecurity. The companies will also work closely with SWIFT's internal Customer Security Intelligence team.[Editor Comments ]
Read more in:
The Hill: Banking network hacked in $81m heist hires outside cyber team
-http://thehill.com/policy/cybersecurity/287208-banking-network-hacked-in-81m-hei
st-hires-outside-cyber-team
Computerworld: SWIFT brings in external support as it fights wave of bank hacks
-http://www.computerworld.com/article/3093943/security/swift-brings-in-external-s
upport-as-it-fights-wave-of-bank-hacks.html
SC Magazine: SWIFT hires two cybersecurity firms in wake of digital heists
-http://www.scmagazine.com/swift-hires-two-cybersecurity-firms-in-wake-of-digital
-heists/article/508722/
SWIFT: Press Release
-https://www.swift.com/insights/press-releases/swift-engages-expert-cyber-securit
y-firms-and-establishes-dedicated-customer-security-intelligence-team-0?
*************************** SPONSORED LINKS *****************************
Why Layered Security Strategies Dont Work and What You Can Do About It. Tuesday, July 19th, 2016 at 11:00 AM (11:00:00 EDT/US Eastern) with Navneet Singh. http://www.sans.org/u/joq
"Insider threats remain high concern among healthcare industry" - 2 Part Webcast Series - 7/20 & 7/21 @ 1 PM ET. http://www.sans.org/u/j0Z
Take the SANS 2016 Cloud Security Survey & enter to win a $400 Amazon Gift Card! www.sans.org/info/187200
***************************************************************************
THE REST OF THE WEEK'S NEWS
GenCyber Camps (July 11, 2016)
The National Security Agency (NSA) and the National Academy of Sciences are sponsoring nearly 120 GenCyber camps this summer. GenCyber offers free camps for students from kindergarten through 12th grade; it also offers camps for teachers.[Editor Comments ]
Read more in:
Washington Post: Computer hackers don't stand a chance against these girls
-https://www.washingtonpost.com/lifestyle/kidspost/computer-hackers-dont-stand-a-
chance-against-these-girls/2016/07/11/ad923bb4-438b-11e6-88d0-6adee48be8bc_story
.html
Lurk Takedown Linked to Angler Disappearance (July 11, 2016)
The disappearance of traffic related to the Angler exploit kit may be linked to the Lurk banking Trojan. In June, Russian authorities arrested a group of people for allegedly using the Lurk banking Trojan to steal US $45 million from Russian banks. Angler disappeared within a week of those arrests. Cisco Talos researchers became intrigued; they discovered that the majority of Lurk's command-and-control domains were registered to an account also associated with Angler communication.[Editor Comments ]
Read more in:
The Register: Lurk trojan takedown also took out Angler exploit kit
-http://www.theregister.co.uk/2016/07/11/lurk_trojan_angler_exploit_links/
Omni Hotels Acknowledges Breach (July 11, 2016)
Omni Hotels has acknowledged that point-of-sale systems at some of its properties were infected with malware designed to steal payment card information. Omni became aware of the breach on May 30, 2016; the malware was on the system between December 23, 2015 and June 14, 2016.[Editor Comments ]
(Williams): The fact that the breach began on December 23 is probably not a coincidence. I have worked on multiple breaches where attackers took advantage of seasonally themed phishing emails along with seasonal lack of staffing to gain initial access and/or exfiltrate data. IOW Pay extra attention to security during holiday times.
Read more in:
Computerworld: Omni Hotels was hit by point-of-sale malware
-http://www.computerworld.com/article/3093390/security/omni-hotels-was-hit-by-poi
nt-of-sale-malware.html
The Register: Omni-shambles! Card-stealing malware checks into US hotel chain
-http://www.theregister.co.uk/2016/07/11/strike_omni_from_list_of_safe_hotels
Omni Hotels: Notice of Data Breach
-https://www.omnihotels.com/notice
Remote Code Execution Flaw in Xiaomi Phones (July 11, 2016)
A fix is available for a vulnerability that affects millions of Xiaomi mobile phones. The remote code execution flaw resides in several apps that are part of Xiaomi's custom Android-based operating system. Users are urged to update as soon as possible.[Editor Comments ]
Read more in:
ZDNet: Millions of Xiaomi phones at risk of remotely installed malware
-http://www.zdnet.com/article/millions-of-xiaomi-devices-at-risk-of-malicious-upd
ates/
Update Available for WordPress Plug-in (July 11, 2016)
WordPress users who have installed the All in One SEO Pack plug-in are being advised to update as soon as possible. A flaw in the plug-in's Bot Blocker function could be exploited through a cross-site scripting attack to take control of a website's administrative account. The plug-in's developer, Semper Fi Web design, has released All in One SEO version 2.3.6, in which the problem is fixed.[Editor Comments ]
[Ullrich ]
If you really like Wordpress, then bite the bullet and pay for a solution hosted by wordpress.com. Keeping wordpress up to date and secure yourself is rather difficult and a significant time commitment.
[Williams ]
A quick check of several clients who use WordPress reveals that most of them have this plugin installed. The good news is that the vulnerability can't be triggered until you log in to the WordPress admin panel. Install this patch sooner than later. Because this is stored XSS, XSS protections like that found in Google Chrome are rendered ineffective.
Read more in:
Computerworld: Serious flaw fixed in widely used WordPress plug-in
-http://www.computerworld.com/article/3094007/security/serious-flaw-fixed-in-wide
ly-used-wordpress-plug-in.html
IG Audit Report: FDIC Needs to Improve Incident Detection and Reporting (July 11, 2016)
According to an audit report from the FDIC's Office of the Inspector General, "the FDIC's incident response policies, procedures and guidelines did not address major incidents." In addition, the FDIC lacks sufficient resources to review potential breach information generated by its Data Loss Prevention (DLP) network monitoring tool. The IG makes five recommendations to the FDIC CIO, all aimed at improving the organization's ability to detect and report major security incidents in a timely manner.[Editor Comments ]
[Williams ]
From the IG report, it appears the FDIC broke one of the important rules of security: Do not turn on new alerting without first establishing a response workflow. For each new log source, document what you expect the alert to tell you, how to investigate true positive vs. false positive, and how to remediate incidents involving the alert.
[Russell Eubanks ]
All of us can learn lessons which can lead to an improved security posture. I dare you to engage your incident response team in exercises based on the information contained in this report.
Read more in:
FCW: IG: FDIC ill-equipped to identify major cyber incidents?
-https://fcw.com/articles/2016/07/11/fdic-cyber-oig.aspx
FDIC OIG Audit Report (PDF): The FDIC's Process for Identifying and Reporting Major Information Security Incidents
-https://www.fdicig.gov/reports16/16-004AUD.pdf
Facebook Testing Encryption for Messenger (July 8, 2016)
Facebook has begun testing Secret Conversations, an end-to-end encryption feature for Messenger. Users will be able to create secret conversations that can be read on only one of the recipient's devices. The cryptographic keys "are generated or derived on-device," which means that Facebook never has possession of the keys. Secret Conversations will also let users determine how long the message will be visible.[Editor Comments ]
(Murray): Facebook, and others providing messaging services, must provide end-to-end encryption where they are not party to the keys. If they fail to do so, if they can see the traffic, then providing support to law enforcement and intelligence will be a significant cost of doing business. Apple understands this.
Read more in:
SC Magazine: Facebook testing 'Secret Conversations' end-to-end encryption feature for Messenger
-http://www.scmagazine.com/facebook-testing-secret-conversations-end-to-end-encry
ption-feature-for-messenger/article/508566/
Quartz: Facebook is testing encrypted, self-destructing messages
-http://qz.com/727384/facebook-is-testing-encrypted-self-destructing-messages/
CNET: Facebook adds encryption to Messenger
-http://www.cnet.com/news/facebook-adds-encryption-to-messenger/
-http://newsroom.fb.com/news/2016/07/messenger-starts-testing-end-to-end-encrypti
on-with-secret-conversations/
FAA Reauthorization Bill Includes Cybersecurity Requirement (July 8, 2016)
The US Federal Aviation Administration (FAA) reauthorization, which is expected to pass this week, requires the agency to develop "a comprehensive and strategic framework of principles and policies to reduce cybersecurity risks."[Editor Comments ]
(HENRY) Is this news? Develop "a comprehensive and strategic framework of principles and policies to reduce cybersecurity risks."? Really? And if you take 8 MONTHS to BUILD this "plan," how much longer to actually IMPLEMENT it? Can't the capabilities of the entire USG be leveraged, by looking at "principles and policies to reduce cybersecurity risks" already being utilized elsewhere? There needs to be greater coordination and a heightened sense of urgency to better protect government networks.
Read more in:
The Hill: FAA reauthorization to bolster cyber efforts
-http://thehill.com/policy/cybersecurity/287013-faa-reauthorization-to-bolster-cy
ber-efforts
1,025 Wendy's Restaurants Hit By POS Malware (July 8, 2016)
Wendy's announcement of Point of Sale credential scraping malware in May was one-third the size of the compromise, the chain announced this week. The malware targeted: cardholder name, credit or debit card number, expiration date, cardholder verification value, and service code. The investigation is still active.[Editor Comments ]
(Northcutt): Kathy and I are moving to payment in cash for minor expenditures. Why risk dealing with identity theft for a $13.95 burger, chili and sour cream and chive baked potato?
Read more in:
-http://www.securityweek.com/over-1000-wendys-restaurants-hit-pos-malware
-http://www.usatoday.com/story/money/2016/07/07/wendys-cyber-attack-compromised-n
ames-card-numbers/86799940/
INTERNET STORM CENTER TECH CORNER
Pentesters (and Attackers) Love Internet Connected Security Cameras!-https://isc.sans.edu/forums/diary/Pentesters+and+Attackers+Love+Internet+Connect
ed+Security+Cameras/21231/
Lessons Learned From Industrial Control Systems
-https://isc.sans.edu/forums/diary/Lessons+Learned+from+Industrial+Control+System
s/21243/
BMW Portal Insecurity
-http://www.vulnerability-lab.com/get_content.php?id=1736
-http://www.vulnerability-lab.com/get_content.php?id=1737
Pokemon Go App Used To Rob Users
-https://regmedia.co.uk/2016/07/10/34798567498753.pdf
Hiding in White Text: Word Documents with Embedded Payloads
-https://isc.sans.edu/forums/diary/Hiding+in+White+Text+Word+Documents+with+Embed
ded+Payloads/21227/
Pokemon Go Requests "Full Access" to iOS User's Google Account
-http://adamreeve.tumblr.com/post/147120922009/pokemon-go-is-a-huge-security-risk
Hacking Siri With Barely Audible Voice Commands
-https://security.cs.georgetown.edu/~tavish/hvc_usenix.pdf
iOS Users Locked Out of Devices by Ransom Attacks
-http://www.csoonline.com/article/3093016/security/apple-devices-held-for-ransom-
rumors-claim-40m-icloud-accounts-hacked.html
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create