Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #62

August 05, 2016

TOP OF THE NEWS

Banner Health Data Breach
Illinois Hospital Chain Will Pay US $5.5 Million HIPAA Violation Fine
Mudge's New Software Rating System

THE REST OF THE WEEK'S NEWS

Bitfinex Bitcoin Theft
Should Election Systems be Considered Critical Infrastructure?
RAT Found on Computers Associated with South China Sea Arbitration
Guilty Plea in Press Release Theft and Trading Scheme
DARPA Capture the Flag Event in Las Vegas is for Machines Only
HTTP/2 Protocol Vulnerabilities
Firefox 48 has Multi-Process Architecture

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*********************** Sponsored By ThreatSTOP *************************
Test the industry-leading ThreatSTOP DNS Firewall free for 30 days. The cloud-based service works with all leading DNS servers to block outbound communications with threat actors to prevent data theft and corruption. Installs in under an hour and delivers powerful reporting and tools to gain visibility into blocked threats.
http://www.sans.org/info/187785

***************************************************************************

TRAINING UPDATE

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016

--SANS Virginia Beach 2016 | Virginia Beach, VA | August 22-September 2 | https://www.sans.org/event/virginia-beach-2016

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016

--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 | https://www.sans.org/event/crystal-city-2016

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016

--SANS London Autumn 2016 | London, UK | September 19-24 | https://www.sans.org/event/london-autumn-2016

--Security Leadership Summit & Training | September 27 – October 4, 2016 | Dallas, TX | https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA | https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic | https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD | https://www.sans.org/event/baltimore-2016

***************************************************************************

TOP OF THE NEWS

Banner Health Data Breach (August 4, 2016)

Banner Health, a hospital services provider, has begin notifying 3.7 million people that their personal information, including payment card data and health record information, may have been compromised in a breach earlier this year. The breach affects members of Banner's health plan, medical personnel who work at Banner facilities, and people who purchased food and drinks at the facilities.

[Editor Comments ]


[Murray ]
Even from these limited reports, one may infer that Banner operates a flat network, likely with a high level of trust among systems and apps. We call that a "soft target." It is hardly the level of security one might expect in such an enterprise, not the level contemplated (though never explicitly specified) in the HIPAA guidance.
Read more in:
Computerworld: Banner Health alerts 3.7M potential victims of hack of its computers
-http://www.computerworld.com/article/3104039/security/banner-health-alerts-37m-p
otential-victims-of-hack-of-its-computers.html

BBC: US health insurer warns 3.7m after cyber-attack
-http://www.bbc.com/news/technology-36976701

Illinois Hospital Chain Will Pay US $5.5 Million HIPAA Violation Fine (August 4, 2016)

Advocate Health Care Network, Illinois largest hospital chain, will pay a record US $5.5 million fine for failing to adequately protect patient data, resulting in the exposure of more than four million patient records. The fine is the highest ever imposed under Health Insurance Portability and Accountability Act (HIPAA) regulations.

[Editor Comments ]


[Pescatore ]
That fine is a small percentage of the overall cost to Advocate of this incident, but the HHS action also requires Advocate to undergo yearly external audits for a long period of time. Advocate's biggest failing was not encrypting data on laptops or PCs that were not physically secure; a thief stole them. Advocate Medical Group had 1,500 physicians. Let's say they have 5,000 total PCs and laptops. The cost of turning on encryption on PCs and laptops was probably less than $1M - 20% of the fine and probably less than 1% of the overall cost to Advocate of the 4M record breach.

[Murray ]
It is time to ask whether there is resistance, rather than simple indifference or incompetence, to security in this industry, and what size fines might be required to over come it?
Read more in:
Computerworld: Illinois hospital chain to pay record $5.5M for exposing data about millions of patients
-http://www.computerworld.com/article/3104142/healthcare-it/illinois-hospital-cha
in-to-pay-record-55m-for-exposing-data-about-millions-of-patients.html

Mudge's New Software Rating System (August 2, 2016)

Peiter Zatko and Sarah Zatko are developing a rating system for software. The Zatkos' rating system focuses on examining the source code's binaries, which tell computers what to do. Zatko, better known as Mudge, is an icon in computer security. He was the most visible member of L0pht, was an invited participant in the first public meeting on cybersecurity ever held with the President in the White House; went on to DARPA where he oversaw a security research portfolio; and then, in 2013 moved to to Google.

[Editor Comments ]


[Pescatore ]
Businesses and government agencies adopting acceptance criteria for the software they buy is badly needed. Veracode has a VerAfied program where dozens of companies (including several security product firms) have their products tested for known vulnerabilities. In government, the NIST SAMATE (Software Assurance Metrics And Tool Evaluation) effort has been looking at this area for over a decade, but the Federal Government has made near zero progress moving forward.

[Murray ]
We desperately need research into measuring software quality. "Engineering" begins with Strength of Materials.

[Paller ]
Mudge is the right guy. In the meeting at the White House with the President and the National Security Advisor, most of the dozen or so tech CEOs in the room offered few specifics and nothing of value, but Mudge looked directly at the President, and said "whatever you do, please don't criminalize the use of hacking tools." I am glad he is focusing on software security - that's one of only two ways to get ahead of the security problem instead of constantly responding to attacks. His new project will succeed, however only when companies and governments include specific clauses (not FAR clauses) in software contracts that require clean audits of security of software BEFORE accepting the software for delivery.
Read more in:
Reuters: Famed hacker creates new ratings system for software
-http://www.reuters.com/article/us-usa-cyber-ratings-idUSKCN10D2EO


*************************** SPONSORED LINKS *****************************
1) Don't Miss: What Works: A Credit Union Increased Network Security With Network Access Control Based on Great Bay Software Beacon. Tuesday, August 23rd, 2016 at 11:00 AM Eastern with John Pescatore and Jeremy Taylor. http://www.sans.org/info/187775

2) Top Office 365 Mail Vulnerabilities: Attacks on your Users Right Now. Wednesday, August 31st, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Michael Landewe, Chris Isbrecht and Kip James. Register: http://www.sans.org/info/187780

3) Help SANS determine how organizations conduct CONTINUOUS VULNERABILITY ASSESSMENT and remediation related to the CIS Critical Security Controls- http://www.sans.org/info/187750
***************************************************************************

THE REST OF THE WEEK'S NEWS

Bitfinex Bitcoin Theft (August 3, 2016)

Digital currency exchange Bitfinex appears to have lost nearly 120,000 Bitcoins to thieves. Bitfinex trades other digital currencies as well, but only Bitcoins were affected in this incident. The Hong Kong based exchange has suspended trading. Following reports of the theft, the value of Bitcoins dropped by 20 percent.
Read more in:
Computerworld: Bitcoin exchange Bitfinex may have lost $63M to hackers
-http://www.computerworld.com/article/3103487/e-commerce/bitcoin-exchange-bitfine
x-may-have-lost-63m-to-hackers.html

The Register: $67M in bitcoin stolen as hacking typhoon lashed Hong Kong's Bitfinex
-http://www.theregister.co.uk/2016/08/03/67m_in_bitcoin_stolen_as_hacking_typhoon
_lashes_hong_kongs_bitfinex/

Ars Technica: Bitcoin value falls off cliff after $77M stolen in Hong Kong exchange hack
-http://arstechnica.com/security/2016/08/bitcoin-value-falls-off-cliff-after-58m-
in-btc-stolen-in-hong-kong-exchange-hack/

Should Election Systems be Considered Critical Infrastructure? (August 3, 2016)

The US Department of homeland Security (DHS) is considering designating election systems as critical infrastructure, which means that DHS would have the responsibility of helping protect those systems from cyberthreats. There are approximately 9,000 election systems at the state and local levels in the US.

[Editor Comments ]


[Assante ]
Really? Would we not include the whole of 'eGovernment'? Election systems although distributed, are simply one of many important systems that support the formation, operation, and effectiveness and integrity of our government and its processes. Prioritizing systems used for interaction between citizens and their elected officials makes a lot of sense, especially If we use Estonia and Ukraine as instructional case studies.

[Pescatore ]
The simple answer: Yes, election systems are Critical Infrastructure. However, it is not a simple answer if you ask whether DHS involvement will improve the security of election systems. Those systems are essentially commercial products. They don't change as fast as consumer products, but they've proven to move faster than either the Election Assistance Commission or DHS can respond. Since in the US the systems are owned and operated at the state level, I'd rather see some funding to the MS-ISAC for a "security sprint" effort to start, and for a long-term mandatory system certification effort.
Read more in:
Christian Science Monitor: Homeland Security chief weighs plan to protect voting from hackers
-http://www.csmonitor.com/World/Passcode/2016/0803/Homeland-Security-chief-weighs
-plan-to-protect-voting-from-hackers

Federal News Radio: DHS considers adding election system as critical cyber infrastructure
-http://federalnewsradio.com/cybersecurity/2016/08/dhs-considers-adding-election-
system-critical-cyber-infrastructure/

The Wall Street Journal: US Considers Classifying Election System as 'Critical Infrastructure'
-http://www.wsj.com/articles/u-s-considers-classifying-election-system-as-critica
l-infrastructure-1470264895

RAT Found on Computers Associated with South China Sea Arbitration (August 4, 2016)

Philippine negotiators in the South China Sea dispute have found malware on their computers. According to F-Secure, a remote access Trojan (RAT) that appears to emanate from China has been found on computers belonging to parties related to a dispute regarding national boundaries in the South China Sea. The malware, dubbed NanHaiShu, was deployed prior to a July 12 Permanent Court of Arbitration ruling against China in the territorial dispute. The RAT was detected on computers belonging to the Department of Justice of the Philippines, the organizers of the Asia-Pacific Economic Cooperation Summit, and a law firm involved in the arbitration.
Read more in:
The Hill: China suspected of hacking South China Sea arbitration
-http://thehill.com/policy/cybersecurity/290367-china-suspected-of-hacking-south-
china-sea-arbitration

V3: China using malware against South China Sea rivals
-http://www.v3.co.uk/v3-uk/news/2467090/china-using-malware-against-south-china-s
ea-rivals

F-Secure: NanHaiShu: RATing the South China Sea (PDF)
-https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf

Guilty Plea in Press Release Theft and Trading Scheme (August 2, 2016)

Leonid Momotok has pleaded guilty to conspiracy to commit wire fraud for his role in a scheme that profited from information in press releases that were obtained before they were published. According to the US Justice Department (DoJ), Momotok, along with other securities traders and cyber thieves stole more than 150,000 press releases. They made US $30 million in profits from the illegal trades.
Read more in:
The Hill: Trader pleads guilty in newswire hack scheme
-http://thehill.com/policy/cybersecurity/290156-trader-pleads-guilty-in-newswire-
hack-scheme

US Justice Dept.: Georgia Trader Pleads Guilty to Large Known Computer Hacking and Trading Scheme
-https://www.justice.gov/usao-edny/pr/georgia-trader-pleads-guilty-largest-known-
computer-hacking-and-trading-scheme

DARPA Capture the Flag Event in Las Vegas is for Machines Only (August 4, 2016)

Earlier this week in Las Vegas, the US Defense Advanced Research Projects Agency (DARPA) held a competition in which the participants were machines. The systems, created by seven teams, were designed to detect, evaluate, and fix vulnerabilities quickly during the machine-only capture the flag competition. DARPA announced the competition nearly three years ago. More than 100 teams applied; the seven teams participating in Las Vegas competition were chosen as finalists after a series of qualifying events.
Read more in:
Computerworld: In DARPA challenge, smart machines compete to fend off cyberattacks
-http://www.computerworld.com/article/3104593/security/in-darpa-challenge-smart-m
achines-compete-to-fend-off-cyberattacks.html

Christian Science Monitor: High-stakes DARPA hacking contest pits computer against computer
-http://www.csmonitor.com/World/Passcode/Security-culture/2016/0801/High-stakes-D
ARPA-hacking-contest-pits-computer-against-computer

HTTP/2 Protocol Vulnerabilities (August 4, 2016)

Four serious vulnerabilities in the HTTP/2 protocol could be exploited to crash programs, systems, or servers, and cause other problems. HTTP/2 was designed to help browsers and servers communicate more efficiently, improving users' online experience. According to one estimate, it has been adopted by 8.7 percent of websites.
Read more in:
ZDNet: Severe vulnerabilities discovered in HTTP/2 protocol
-http://www.zdnet.com/article/severe-vulnerabilities-discovered-in-http2-protocol
/

Imperva: HTTP/2 In-depth analysis of the top four flaws of the next generation web protocol (PDF)
-http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf

Firefox 48 has Multi-Process Architecture (August 2, 3, and 4, 2016)

Mozilla has released Firefox 48. The newest version of the browser includes a feature called "Electrolysis" that helps prevent screens from freezing by having rendering engines work in a process separate from the browser shell. Chrome and Internet Explorer have offered similar features since 2009. To start, just a small number of Firefox 48 users will have Electrolysis enabled by default. If the trial goes well, Electrolysis will be rolled out to approximately half of Firefox 48 users. Firefox 48 will be available for Windows, Mac, Linux, and Android.
Read more in:
SC Magazine: Updated Firefox browser, now with bolstered security
-http://www.scmagazine.com/updated-firefox-browser-now-with-bolstered-security/ar
ticle/514197/

ZDNet: Mozilla Firefox 48: Out now with multi-process Electrolysis to cut lag, freezing
-http://www.zdnet.com/article/mozilla-firefox-48-out-now-with-multi-process-elect
rolysis-to-cut-lag-freezing/

Ars Technica: Firefox 48 ships, bringing Rust mainstream and multiprocess for some
-http://arstechnica.com/information-technology/2016/08/firefox-48-ships-bringing-
rust-mainstream-and-multiprocess-for-some/


INTERNET STORM CENTER TECH CORNER

Windows 10 Aniversary Update Feedback
-https://kc.mcafee.com/corporate/index?page=content&id=KB87536

Android Updates
-https://source.android.com/security/bulletin/2016-08-01.html

Unlocking Murder Victim Phone With Printed Fingerprint
-http://msutoday.msu.edu/news/2016/accessing-a-murder-victims-smartphone-to-help-
solve-a-crime/

signout.live.com remote code execution vulnerability
-http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-Code-Ex
ecution-Write-Up.html

Edge/IE Still Leak NTLM Credentials (since 1997!) hxxp://witch.valdikss.org.ru (careful: test site will try to grab credentials)

The Dark Side of Certificate Transparency
-https://isc.sans.edu/forums/diary/The+Dark+Side+of+Certificate+Transparency/2132
9/

HTTP/2 Vulnerabilities
-http://www.imperva.com/docs/Imperva_HII_HTTP2.pdf

Surge in Scans for Netis Router
-https://isc.sans.edu/forums/diary/Surge+in+Exploit+Attempts+for+Netis+Router+Bac
kdoor+UDP53413/21337/

iPhone Thieves Use Targeted Phishing
-https://hackernoon.com/this-is-what-apple-should-tell-you-when-you-lose-your-iph
one-8f07cf73cf82#.spgmbaejk

NUUO/ReadyNAS Video Recorder Vulnerabilities
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/nuuo-nvr-vulns.tx
t

mixed-blend-mode Browser History Leak
-https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html


***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create