SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #60

July 29, 2016

TOP OF THE NEWS

OMB Updates Federal Information Policy Framework
Presidential Policy Directive on Cyberattack Response
Prison Time for IRS 'Get Transcript' Fraudsters
Prison for Citibank Internal Router Saboteur

THE REST OF THE WEEK'S NEWS

Chthonic Trojan Spreading via PayPal
Google Adds Security Improvements to Android Linux Kernel
Telegram App Vulnerability
New Minimum Hardware Security Requirements for Windows 10
LastPass Vulnerability Fixed
Wireless Keyboard Vulnerabilities
Vulnerabilities in Osram Internet-Connected Light Bulbs
Kimpton Hotels Investigating Possible Data Breach

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored By Bugcrowd *************************

SQLi. XSS. CSRF. How vulnerable is your attack surface? Bug bounties find more critical bugs than any other traditional testing method -- Learn more in The 2016 State of Bug Bounty Report. Download Here:
A: http://www.sans.org/info/187685
B: http://www.sans.org/info/187690

***************************************************************************

TRAINING UPDATE

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016

--SANS Virginia Beach 2016 | Virginia Beach, VA | August 22-September 2 | https://www.sans.org/event/virginia-beach-2016

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016

--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 | https://www.sans.org/event/crystal-city-2016

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016

--SANS London Autumn 2016 | London, UK | September 19-24 | https://www.sans.org/event/london-autumn-2016

--Security Leadership Summit & Training | September 27 - October 4, 2016 | Dallas, TX | https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA | https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic | https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD | https://www.sans.org/event/baltimore-2016

***************************************************************************

---

TOP OF THE NEWS

OMB Updates Federal Information Policy Framework (July 27, 2016)

The US Office of Management and Budget (OMB) has released an update for its federal information policy framework, Circular A-130. The document was last updated in 2000.

[Editor Comments ]


[Paller ]
The security element of the revised A-130 reinforces the fundamental error that has caused Federal information systems to be so hard to protect - that Agencies are held accountable for writing reports admiring security risks rather than for buying systems that are defensible, fixing the high priority problems as they arise, and finding and eliminating intruders quickly. Shame on OMB for missing this opportunity to change agency priorities; will it be another 16 years before the A-130 policy error is finally eliminated?

[Pescatore ]
A quick look at the new document doesn't find the term "Chief Information Security Officer" or "Chief Security Officer" at all, only the requirement that the CIO designate a "senior agency information security officer" which will continue the responsibility but not authority problem the government has in security. That same section points out another problem, especially since A-130 is the basis for government auditors efforts and focus: agencies have to look at security requirements, dictates and policies issued by OPM, GSA, DHS and NIST. This continues what Tony Sager has called the "fog of more."

[Murray ]
When OMB A-130 was drafted computers were expensive but quickly obsolete. It was about buying hardware. That said, it has stood the test of time. (Thanks, Ed Springer.) Today it "establishes general policy for the planning, budgeting, governance, acquisition, and management of Federal information, personnel, equipment, funds, IT resources and supporting infrastructure and services." Read the "Basic Considerations," the assumptions undergirding the direction.
Read more in:
FCW: OMB issues A-130 update?
-https://fcw.com/articles/2016/07/27/omb-a130-update.aspx
White House: Circular No. A-130 (PDF)
-https://www.whitehouse.gov/sites/default/files/omb/assets/OMB/circulars/a130/a13
0revised.pdf

Presidential Policy Directive on Cyberattack Response (July 26, 2016)

A US presidential policy directive clarifies the chain of command in responding to cyberattacks. The Justice Department's National Cyber Investigative Joint Task Force and the FBI will be responsible for coordinating response to cyberattacks. The Department of Homeland Security (DHS) will help affected organizations with recovery, and the Office of the Director of National Intelligence will take the lead in analysis and intelligence.

[Editor Comments ]


[Williams ]
From a policy standpoint this is a step in the right direction. Many government agencies are currently building cyber investigation and response capabilities without a clear understanding of how they will be used (or even under what authorities they will operate). This document goes a long way towards clarifying that.

[Pescatore ]
The definition of cyber-incident seems very broad, especially since the process seems heavily tilted towards homeland security and counter-terrorism.

[Assante ]
High Consequence Cyber-induced Events (HCCE) can be achieve in multiple dimensions and the United States Government is ready to consider and better organize around consequences, confidence, and context. This schema is very broad as it should be, and will remain difficult to fully define.
Read more in:
Computerworld: FBI to lead nation's cyberattack responses
-http://www.computerworld.com/article/3100625/security/fbi-to-lead-nations-cybera
ttack-responses.html
Federal News Radio: White House clarified agencies' roles in responding to major cyber attacks
-http://federalnewsradio.com/cybersecurity/2016/07/white-house-clarifies-agencies
-roles-responding-major-cyber-attacks/
Nextgov: Obama Establishes Cyberattack Response Chain of Command
-http://www.nextgov.com/cybersecurity/2016/07/obama-establishes-cyberattack-respo
nse-chain-command/130232/?oref=ng-HPtopstory
White House Press Release: Presidential Policy Directive -- United States Cyber Incident Coordination
-https://www.whitehouse.gov/the-press-office/2016/07/26/presidential-policy-direc
tive-united-states-cyber-incident

Prison Time for IRS 'Get Transcript' Fraudsters (July 27, 2016)

Two people have been sentenced to prison for their roles in a scheme that exploited a flaw in the US Internal Revenue's (ITRS's) "Get Transcript" tool. Anthony Alika and Sonia Alika laundered more than US $1 million, using information stolen from the IRS site to file fraudulent income tax returns and obtain refunds. Anthony Alika was sentenced to nearly seven years in prison; Sonia Alika was sentenced to nearly two years in prison. The couple was also ordered to pay more than US $2 million in restitution to the IRS.
Read more in:
The Register: Couple in the cooler for sucking $1m out of Uncle Sam via IRS 'Get Transcript' scam
-http://www.theregister.co.uk/2016/07/27/sentencing_in_irs_get_transcript_scam/
US Dept. of Justice: Georgia Couple Sentenced to Prison in a Stolen Identity Tax Refund Fraud Scheme Involving IRS "Get Transcript" Database
-https://www.justice.gov/opa/pr/georgia-couple-sentenced-prison-stolen-identity-t
ax-refund-fraud-scheme-involving-irs-get

Prison for Citibank Internal Router Saboteur (July 27, 2016)

A former Citibank employee has been sentenced to 21 months in prison for issuing commands to wipe configuration files on core routers on the bank's internal network in December 2013. Lennon Ray Brown pleaded guilty to causing intentional damage to a computer. The action caused outages affecting up to 90 percent of Citibank branches.
Read more in:
The Register: Ex-Citibank IT bloke wiped bank's core routers, will now spend 21 months in the clink
-http://www.theregister.co.uk/2016/07/27/citibank_network_wipe_man_jailed/
US Dept. of Justice: Former Citibank Employee Sentenced to 21 Months in Federal Prison for Causing Intentional Damage to a Protected Computer
-https://www.justice.gov/usao-ndtx/pr/former-citibank-employee-sentenced-21-month
s-federal-prison-causing-intentional-damage

---

*************************** SPONSORED LINKS *****************************
1) Visit VMRay at BlackHat booth #1372: see how our agentless hypervisor-based threat analysis evades malware detection http://www.sans.org/info/187695

2) Take the SANS Financial Security Survey today & enter to win a $400 AMAZON GIFT CARD! http://www.sans.org/info/187700

3) Help SANS determine how organizations conduct CONTINUOUS VULNERABILITY ASSESSMENT and remediation related to the CIS Critical Security Controls- http://www.sans.org/info/187705
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Chthonic Trojan Spreading via PayPal (July 26 and 28, 2016)

A variant of the ZeuS banking Trojan horse program known as Chthonic is spreading through PayPal. The attack exploits a feature that allows PayPal users to include notes in money request messages.
Read more in:
V3: Banking trojan being distributed via 'legitimate' PayPal accounts
-http://www.v3.co.uk/v3-uk/news/2466331/banking-trojan-being-distributed-via-legi
timate-paypal-accounts
Softpedia: Chthonic Banking Trojan Distributed via Legitimate PayPal Emails
-http://news.softpedia.com/news/chthonic-banking-trojan-distributed-via-legitimat
e-paypal-emails-506659.shtml

Google Adds Security Improvements to Android Linux Kernel (July 27 and 28, 2016)

Google has made changes in the Android Nougat Linux kernel to improve security. The changes focus on protecting memory, including features to mark memory as read-only/no-execute and to restrict kernel access to userspace; and on reducing the attack surface, including removing default access to debug features and restricting app access to IOCTL commands.
Read more in:
IT News: Google hardens the Linux kernel in Android
-http://www.itnews.com.au/news/google-hardens-the-linux-kernel-in-android-431800
Computerworld: Google beefs Linux up kernel defenses in Android
-http://www.computerworld.com/article/3101848/security/google-beefs-linux-up-kern
el-defenses-in-android.html
Android Developers Blog: Protecting Android with more Linux kernel defenses
-http://android-developers.blogspot.co.nz/2016/07/protecting-android-with-more-li
nux.html
-https://security.googleblog.com/2016/07/protecting-android-with-more-linux.html

Telegram App Vulnerability (July 27, 2016)

A flaw in the Telegram Messenger App (for Mas OS X) has been fixed. The app logged everything users pasted into their chats to syslog, even if those users had selected the end-to-end encryption of "secret" mode. Telegram CEO called the issue "minor," noting that is affects only text copied and pasted from clipboard, and that "AppStore apps cannot access syslog."
Read more in:
Ars Technica: Telegram app vuln recorded anything macOS users pasted-even in secret
-http://arstechnica.com/security/2016/07/telegram-messenger-app-macos-bug/
SC Magazine: Telegram for Mac OS records everything pasted into app
-http://www.scmagazine.com/mac-os-telegram-flaw-recorded-anything-users-pasted-in
-app/article/512306/

New Minimum Hardware Security Requirements for Windows 10 (July 27, 2016)

As of Thursday, July 28, Microsoft is requiring Windows 10-based phones, tablets, and PCs to support the Trusted Platform Module (TPM) 2.0 standard, which provides a secure place on the device to store authentication keys. The Anniversary Edition of Windows 10, which is set for release on August 2, will support TPM 2.0.
Read more in:
Computerworld: Microsoft mandates Windows 10 hardware change for PC security
-http://www.computerworld.com/article/3101427/security/microsoft-mandates-windows
-10-hardware-change-for-pc-security.html
V3: Microsoft mandates TPM 2.0 support in all Windows 10 devices
-http://www.v3.co.uk/v3-uk/news/2466256/microsoft-mandates-tpm-20-support-in-all-
windows-10-devices

LastPass Vulnerability Fixed (July 27 and 28, 2016)

LastPass has fixed a vulnerability in its password vault product that could be exploited to remotely hijack user accounts. Devices could be compromised if users visit maliciously crafted websites. LastPass has pushed out a fix for the flaw to Firefox users running LastPass 4.0.

[Editor Comments ]


[Williams ]
A far more serious LastPass vulnerability was recently discovered and fixed (
-https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passw
ords/).
Just like any other software your password managers must be updated to patch known vulnerabilities. Even with these recent disclosures, using a password manager is still far better than not using one.

[Honan ]
Kudos to LastPass on addressing the security bugs but a timely reminder that not all software, even security software, is secure. We need to ensure we use all additional features such as two-step verification to lock down these critical type of applications. Despite the reported bugs LastPass, and any other password managers, are still much better than reusing the same password across multiple systems.
Read more in:
The Register: Zero day hole can pwn millions of LastPass users, all that's needed is a malicious site
-http://www.theregister.co.uk/2016/07/27/zero_day_hole_can_pwn_millions_of_lastpa
ss_users_who_visit_a_site/
ZDNet: LastPass unpatched zero-day vulnerability gives hackers access to your account
-http://www.zdnet.com/article/lastpass-zero-day-vulnerability-remotely-compromise
s-user-accounts/
Computerworld: Flaw with password manager LastPass could hand over control to hackers
-http://www.computerworld.com/article/3101344/security/flaw-with-password-manager
-lastpass-could-hand-over-control-to-hackers.html
CNET: Big security bug fixed by LastPass password manager
-http://www.cnet.com/news/big-security-bug-fixed-by-lastpass-password-manager/
LastPass Blog: LastPass Security Updates
-https://blog.lastpass.com/2016/07/lastpass-security-updates.html/

Wireless Keyboard Vulnerabilities (July 26 and 27, 2016)

Researchers have found that security weaknesses in some wireless keyboards could allow attackers to inject keystrokes and to read everything users type, spelling trouble for the security of account access credentials and any other sensitive communications. To sniff this information, attackers would need to be within 250 feet of a targeted device.

[Editor Comments ]


[Ullrich ]
How many times is this very same vulnerability going to be reported? And how long until manufacturers of keyboards will finally fix this problem? Right now, if you insist on using a wireless keyboard, bluetooth is your best option and it isn't clear why manufacturers use their insecure proprietary protocols (bluetooth is pretty cheap and universal). Here are some links to prior reports of this vulnerability:
2007:
-https://www.dreamlab.net/wp-content/uploads/2012/06/Whitepaper-27_Mhz_keyboard_i
nsecurities.pdf
2015:
-http://samy.pl/keysweeper/

[Williams ]
Most of the keyboards vulnerable to this are low-end models and not likely to be deployed in enterprise environments. This vulnerability is not new; it's time to recognize that with the advent of software defined radio (SDR) no unsecured communications are safe from eavesdropping. The novelty of this exploit is that rather than using SDR, the researchers wrote custom firmware for a wireless dongle that costs less than $50, making the attack far more accessible.
Read more in:
CNET: Hackers could sniff out your passwords if you're typing nearby
-http://www.cnet.com/news/hackers-could-sniff-out-your-passwords-if-youre-typing-
nearby/
ZDNet: Flaws in wireless keyboards let hackers snoop on everything you type
-http://www.zdnet.com/article/millions-of-wireless-keyboards-at-risk-of-spying-by
-hackers-in-new-attack/
Wired: Radio Hack Steals Keystrokes from Millions of Wireless Keyboards
-https://www.wired.com/2016/07/radio-hack-steals-keystrokes-millions-wireless-key
boards/
V3: Wireless keyboards and mice vulnerable to keystroke 'sniffing'
-http://www.v3.co.uk/v3-uk/news/2466157/wireless-keyboards-and-mice-vulnerable-to
-keystroke-sniffing

Vulnerabilities in Osram Internet-Connected Light Bulbs (July 26 and 27, 2016)

A handful of vulnerabilities in certain Internet-connected light bulbs could be exploited to operate lights and gain access to a home's wi-fi network. The issues affect Osram's Lightify products. The Osram smartphone app stores users' wi-fi passwords unencrypted. Osram says most of the flaws will be fixed in its next version update, due out next month.

[Editor Comments ]


[Honan ]
When your security relies on your lightbulbs you know that worrying about APTs and nation state adversaries hackers is a futile exercise.
Read more in:
BBC: Osram Lightify light bulbs 'vulnerable to hack'
-http://www.bbc.com/news/technology-36903274
The Register: Osram's Lightify smart bulbs blow a security fuse - isn't anything code audited anymore?
-http://www.theregister.co.uk/2016/07/27/osram_smart_lightbulbs/
ZDNet: Serious security flaws found in Osram smart bulbs
-http://www.zdnet.com/article/serious-security-flaws-found-in-osram-smart-bulbs/

Kimpton Hotels Investigating Possible Data Breach (July 26, 2016)

Kimpton Hotels is looking into reports that payment cards customers used at some of their properties were compromised. KrebsonSecurity learned of the pattern of fraudulent payment card activity from several sources in the financial industry.

[Editor Comments ]


[Murray ]
With due credit to Krebs, if one is in hospitality or food and beverage, he should not be one's early warning system. The first Verizon Data Breach Incident Report (2009?) should have been enough.
Read more in:
KrebsonSecurity: Kimpton Hotels Probes Card Breach Claims
-http://krebsonsecurity.com/2016/07/kimpton-hotels-probes-card-breach-claims/
SC Magazine: Kimpton Hotels investigates potential payment card breach
-http://www.scmagazine.com/possible-payment-card-breach-affecting-kimpton-hotels/
article/511980/
Kimpton Hotels Press Release: Payment Card Data Update
-https://www.kimptonhotels.com/press

---

INTERNET STORM CENTER TECH CORNER

DNS Command and Control via AAAA Records
-https://isc.sans.edu/forums/diary/Command+and+Control+Channels+Using+AAAA+DNS+Re
cords/21301/

Microsoft Announces New Mobile Authenticator
-https://blogs.technet.microsoft.com/enterprisemobility/2016/07/25/microsoft-auth
enticator-coming-august-15th/

WPAD May Leak HTTPS URLs
-http://arstechnica.com/security/2016/07/new-attack-that-cripples-https-crypto-wo
rks-on-macs-windows-and-linux/

HOnions: Tor Servers To Discover Snooping Tor Nodes
-https://regmedia.co.uk/2016/07/25/10_honions-sanatinia.pdf

Linux Bot Analysis
-https://isc.sans.edu/forums/diary/Analyze+of+a+Linux+botnet+client+source+code/2
1305/

Critical XEN PV Guests Vulnerability
-https://isc.sans.edu/forums/diary/Critical+Xen+PV+guests+vulnerabilities/21307/

Chimera Ransomware Keys Leaked
-https://blog.malwarebytes.com/cybercrime/2016/07/keys-to-chimera-ransomware-leak
ed/

Fiat/Chrysler Software Recall
-http://www.thecarconnection.com/news/1105198_2015-chrysler-200-jeep-renegade-201
4-2015-jeep-cherokee-recalled-410000-vehicles-affected?preview=true

Verifying SSL/TLS Certificates Manually
-https://isc.sans.edu/forums/diary/Verifying+SSLTLS+certificates+manually/21311/

Update to ISC Suspicious Domain List
-https://isc.sans.edu/suspicious_domains.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create