SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #61

August 02, 2016

TOP OF THE NEWS

DoJ Official: Legal Action is Strong Cyber Deterrent
Russia Says Critical Infrastructure Systems Infected with Malware
NIST: SMS-Based Two-Factor Authentication to be Phased Out

THE REST OF THE WEEK'S NEWS

Google Implements HSTS for Google.com
Vietnamese Airport Flight Information Systems Compromised
US Social Security Administration Requires Two-Factor Authentication for Online Access
Google Adds Security Alert Feature to Android
Intel Crosswalk SSL Library Flaw Affects Android
NIST: First Responder Mobile Tech Cybersecurity Guidelines

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored By AlienVault *************************

Everything you wanted to know about Security Information and Event Management (SIEM) but were afraid to ask. Get your copy of the Beginner's Guide to SIEM now! http://www.sans.org/info/187710

***************************************************************************

TRAINING UPDATE

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016

--SANS Virginia Beach 2016 | Virginia Beach, VA | August 22-September 2 | https://www.sans.org/event/virginia-beach-2016

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016

--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 | https://www.sans.org/event/crystal-city-2016

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016

--SANS London Autumn 2016 | London, UK | September 19-24 | https://www.sans.org/event/london-autumn-2016

--Security Leadership Summit & Training | September 27 - October 4, 2016 | Dallas, TX | https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA | https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic | https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD | https://www.sans.org/event/baltimore-2016

***************************************************************************

---

TOP OF THE NEWS

DoJ Official: Legal Action is Strong Cyber Deterrent (August 1, 2016)

Speaking at the Aspen Security Forum in Colorado, John Carlin, assistant attorney general for national security, said that indictments and sanctions have been effective tools in deterring cyber attacks from foreign countries. Carlin also noted that going public with news of attacks, as with the Sony Pictures attack, changes not only the actions of those launching attacks, and sends a message to others.
Read more in:
Federal News Radio: DoJ: Cyber indictments, sanctions tell other nations to 'get off our lawn'
-http://federalnewsradio.com/cybersecurity/2016/08/doj-cyber-indictments-sanction
s-tell-nations-get-off-lawn/

Russia Says Critical Infrastructure Systems Infected with Malware (August 1, 2016)

Russia's Federal Security Service (FSB) says that there is evidence of malware on networks of 20 organizations that have ties to Russia's federal government, including elements of the country's critical infrastructure. The malware allows attackers to activate cameras and microphones, take screenshots, and log keystrokes. Initial infections appear to have been made through phishing emails.

[Editor Comments ]


[Williams ]
This announcement by the Russians is an example of disinformation strategically timed to cast doubt on the probable Russian hack of the DNC. The hope is likely that the uninformed public will link the malware in the FSB to the DNC hack and believe that even if the US Intelligence Community links the hack to the Russians, there will be doubt as to who was controlling the Russian computers.
Read more in:
FCW: Russia reports hack on its federal agencies
-https://fcw.com/articles/2016/08/01/rockwell-russia-fsb-cyber-hack.aspx
The Register: Russia reports RAT scurrying through govt systems, chewing data
-http://www.theregister.co.uk/2016/08/01/russia_reports_rat_scurrying_through_gov
t_systems_chewing_data/
Computerworld: Russia says spies planted malware on critical infrastructure
-http://www.computerworld.com/article/3102178/security/russia-says-spies-planted-
malware-on-critical-infrastructure.html
BBC: Russia cyber attack: Large hack 'hits government ?
-http://www.bbc.com/news/world-europe-36933239

NIST: SMS-Based Two-Factor Authentication to be Phased Out (July 27 and 28, 2016)

In an update to its Digital Authentication Guidelines, the US National Institute of Standards and Technology (NIST) calls for phasing out two-factor authentication via SMS messaging, saying that the method does not offer adequate security. The guidance applies to government service providers.

[Editor Comments ]


[Pescatore ]
The new SP 800-63b actually says "OOB (out of band) using SMS is deprecated, and may no longer be allowed in future releases of this guidance." While SMS messages as a second factor isn't attack-proof, nothing is - and using text messaging as a second factor is a huge improvement over continuing to use reusable passwords and only allowing an obsolete technology like PCMCIA cards for 2FA.

[Paller ]
NIST missed all 3 of the 3Ps on this one: practicality, prioritization, and precision. Who is in charge of cyber at NIST? How could they possibly believe this would improve cybersecurity?
Read more in:
eWeek: NIST Says SMS-Based Two-Factor Authentication Isn't Secure
-http://www.eweek.com/security/nist-says-sms-based-two-factor-authentication-isnt
-secure.html
SC Magazine: Feds nix SMS-based 2FA
-http://www.scmagazine.com/feds-nix-sms-based-2fa/article/512108/
NIST: DRAFT NIST Special Publication 800-63B Digital Authentication Guideline
-https://pages.nist.gov/800-63-3/sp800-63b.html

---

*************************** SPONSORED LINKS *****************************
1) What Works: A Credit Union Increased Network Security With Network Access Control Based on Great Bay Software Beacon. Tuesday, August 23rd, 2016 at 11:00 AM (11:00:00 EDT/US Eastern) with John Pescatore and Jeremy Taylor. http://www.sans.org/info/187715

2) Take the SANS Financial Security Survey today & enter to win a $400 AMAZON GIFT CARD! http://www.sans.org/info/187720

3) Help SANS determine how organizations conduct CONTINUOUS VULNERABILITY ASSESSMENT and remediation related to the CIS Critical Security Controls- http://www.sans.org/info/187725
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Google Implements HSTS for Google.com (August 1, 2016)

Google has implemented HTTPS Strict Transport Security (HSTS) for Google.com, a security measure aimed at blocking SSL-stripping and man-in-the-middle attacks. All major browsers support HSTS. Google is currently forcing HTTPS connections for Gmail, Inbox, the Play Store, Hangouts, and Docs.
Read more in:
ZDNet: Google's HSTS rollout: Forced HTTPS for google.com aims to help block attacks
-http://www.zdnet.com/article/googles-hsts-rollout-forced-https-for-google-com-ai
ms-to-help-block-attacks/
InfoWorld: Google steps up home page security with HSTS
-http://www.infoworld.com/article/3102143/security/google-steps-up-home-page-secu
rity-with-hsts.html

Vietnamese Airport Flight Information Systems Compromised (August 1, 2016)

Attackers compromised flight information screens at two major airports in Vietnam over the weekend. The attackers used the access to post political propaganda. The group claiming responsibility for the attacks is from China. A local source said that a Vietnamese airline's website was also the target of a cyberattack.
Read more in:
ZDNet: Chinese hackers take down Vietnam airport systems
-http://www.zdnet.com/article/chinese-hackers-take-down-vietnam-airport-systems/
The Register: Your next flight is to Glorious China, Owners Of All South China Sea
-http://www.theregister.co.uk/2016/08/01/vietnam_flight_info_hack/

US Social Security Administration Requires Two-Factor Authentication for Online Access (August 1, 2016)

US citizens who manage their Social Security benefits online will now be required to use two-factor authentication. The US Social Security Administration will require holders of "my Social Security" accounts to provide a cell phone number. Users who do not have a cell phone or who do not want to provide the SSA with that number can use other "extra security" options, which involve receiving a code via US Mail and entering that along with other identifying information, such as the last for digits of a credit card number or information from IRS tax forms.

[Editor Comments ]


[Pescatore ]
This is a very good thing to protect existing accounts against the usual phishing attacks but unless the SSA works with mobile carriers to verify identities, it doesn't do anything to stop new account fraud.
Read more in:
KrebsonSecurity:
-http://krebsonsecurity.com/2016/08/social-security-administration-now-requires-t
wo-factor-authentication/

Google Adds Security Alert Feature to Android (August 1, 2016)

Google has added a feature to Android that alerts users with on-screen notification when new devices are added to their accounts and when there is a security event on their accounts. If users believe the activity is suspicious, they can select "Review Account Activity" for details. Previously, these notifications were sent as email.
Read more in:
CNET: Google updates Android with onscreen security notifications
-http://www.cnet.com/news/google-updates-android-with-onscreen-security-notificat
ions/
Google: Notifying Android users natively when devices are added to their account to keep them secure
-http://googleappsupdates.blogspot.com/2016/08/notifying-android-users-natively-w
hen.html

Intel Crosswalk SSL Library Flaw Affects Android (July 31, 2016)

A vulnerability in Intel's Crosswalk SSL library could be exploited to launch man-in-the-middle (MITM) attacks against Android-based devices. The problem lies in the way the library handles SSL errors. If a user accepts an invalid or self-signed SSL certificate, Crosswalk remembers and applies that decision to future certificates. Developers are urged to patch their projects and push out updates.
Read more in:
The Register: Intel's Crosswalk open source dev library has serious SSL bug
-http://www.theregister.co.uk/2016/07/31/intels_crosswalk_open_source_dev_library
_has_serious_ssl_bug/

NIST: First Responder Mobile Tech Cybersecurity Guidelines (July 29, 2016)

The US National Institute of Standards and Technology (NIDT) has published a reference design for multifactor authentication and single-sign on for first responders. Public safety personnel often use different applications and even operating systems from department to department. The reference design aims to "improve interoperability between mobile platforms, applications, and identity platforms regardless of the application development platform used in their construction."
Read more in:
GCN: NIST drafts mobile security guidelines for responder tech
-https://gcn.com/blogs/cybereye/2016/07/mobile-authentication-public-safety.aspx
NIST: Mobile Application Single Sign-on for Public Safety and First Responders (PDF)
-https://nccoe.nist.gov/sites/default/files/library/project-descriptions/psfr-mob
ile-sso-project-description-draft.pdf

---

INTERNET STORM CENTER TECH CORNER

rtfobj Update
-https://isc.sans.edu/forums/diary/rtfobj/21317/

Comodo SSL Certificates Mixup
-https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-cert
ificates-from-comodo-via-dangling-markup-injection/index.html

SwiftKey Keyboard May Leak Private Data to Other Users
-https://blog.swiftkey.com/important-information-relating-to-the-status-of-our-sy
nc-services/

New Version of OPNSense Released
-https://forum.opnsense.org/index.php?topic=3428.0

WhatsApp Does Not Delete All Chats
-http://www.zdziarski.com/blog/?p=6143

Are You Getting I-CANNED?
-https://isc.sans.edu/forums/diary/Are+you+getting+ICANNED/21323/

Windows 10 Anniversary Edition
-https://blogs.windows.com/windowsexperience/2016/06/29/windows-10-anniversary-up
date-available-august-2/

Pangu Jailbreak Leading To Compromised Accounts?
-https://www.reddit.com/r/jailbreak/comments/4v9cju/discussion_is_pangus_jailbrea
k_safe_an_hour_after/
-https://twitter.com/PanguTeam/status/759729314577342468

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create