SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #64
August 12, 2016
TOP OF THE NEWS
Microsoft Secure Boot Leak Demonstrates Risks of Encryption BackdoorsGoogle to Warn Users About Potentially Dangerous eMail
THE REST OF THE WEEK'S NEWS
Linux TCP FlawJuniper Releases Hotfixes for IPv6 Router Flaw
Microsoft Patch Tuesday
Google Chrome Moving Away from Flash
Senator Urges DHS to Classify Election Systems as Critical Infrastructure
London Police Still Running Windows XP
SAP Security Update
Apple Updates iOS to Version 9.3.4
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER****************** Sponsored By Trend Micro Inc. ***********************
WPAD is an old protocol that's facing new problems. Trend Micro's Forward-Looking Threat Researchers (FTR) did real-world testing and found that WPAD on today's Internet with today's devices opens up new possible attacks. Learn more in our Black Hat 2016 report on "badWPAD - The Lasting Menace of a Bad Protocol".
http://www.sans.org/info/187987
***************************************************************************
TRAINING UPDATE
--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016
--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016
--SANS Virginia Beach 2016 | Virginia Beach, VA | August 22-September 2 | https://www.sans.org/event/virginia-beach-2016
--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016
--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 | https://www.sans.org/event/crystal-city-2016
--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016
--SANS London Autumn 2016 | London, UK | September 19-24 | https://www.sans.org/event/london-autumn-2016
--Security Leadership Summit & Training | September 27 - October 4, 2016 | Dallas, TX | https://www.sans.org/event/security-leadership-summit-2016
--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA | https://www.sans.org/event/seattle-2016
--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic | https://www.sans.org/event/dfir-prague-2016
--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD | https://www.sans.org/event/baltimore-2016
***************************************************************************
TOP OF THE NEWS
Microsoft Secure Boot Leak Demonstrates Risks of Encryption Backdoors (August 10 and 11, 2016)
Microsoft mistakenly publicly released a Secure Boot policy that essentially provides a backdoor around boot protection. Secure Boot protects devices running Windows 8.1 and newer by preventing unauthorized operating systems from booting. Microsoft has issued patches to reduce the vunerability but under certain conditions this information can still be used to install alternate operating systems, like Android or Linux, on Windows devices, they could also be abused to install rootkits. The issue illustrates the dangers inherent in incorporating encryption backdoors in products.[Editor Comments ]
[Pescatore ]
Backdoors, like hardcoded passwords, are a convenience vs. security tradeoff that always ends badly. Microsoft has commented that published exploits do not work on "...desktop or enterprise PC systems. It requires physical access and administrator rights to ARM and RT devices and does not compromise encryption protections."
See more at: Microsoft Mistakenly Leaks Secure Boot Key
-https://wp.me/p3AjUX-vaI
Read more in:
Ars Technica: Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open
-http://arstechnica.com/security/2016/08/microsoft-secure-boot-firmware-snafu-lea
ks-golden-key/
The Register: Bungling Microsoft singlehandedly proves that golden backdoor keys are a terrible idea
-http://www.theregister.co.uk/2016/08/10/microsoft_secure_boot_ms16_100/
The Hill: Researchers crack Microsoft feature, say encryption backdoors similarly crackable
-http://thehill.com/policy/cybersecurity/290947-researchers-crack-microsoft-featu
re-say-encryption-backdoors-similarly
ZDNet: Microsoft Secure Boot key debacle causes security panic
-http://www.zdnet.com/article/microsoft-secure-boot-key-debacle-causes-security-p
anic/
Google to Warn Users About Potentially Dangerous eMail (August 10, 2016)
In a blog post, Google says it will send warnings to users when they receive email messages that could harm their computers. The warning will ask users if they want to open messages that Google deems untrustworthy either because they contain links to sites known to host malware, or because Google cannot authenticate that the sender is who it claims to be.[Editor Comments ]
[Pescatore ]
I hope all consumer email services follow Google's lead in pushing SPF and DKIM and automatically warning users when messages they receive are likely to be bogus or dangerous. I can't help still feeling a bit of queasiness about security decisions being made over ad-supported email services like Gmail which essentially sell advertisers information based on the content of users' email. There is a conflict of interest that turns into calls for "net neutrality" when abused. But, the state of the Internet would be so much better if ISPs had been doing this for the past 20 years, instead of just passing along known attacks and phishing emails.
Read more in:
CNET: Don't click on that: Google updates email warnings
-http://www.cnet.com/news/dont-click-on-that-google-updates-email-warnings/
ZDNet: Google Gmail: Now you about get security alerts about senders to beat email spoofing
-http://www.zdnet.com/article/google-gmail-now-you-get-security-alerts-about-send
ers-to-beat-email-spoofing/
Google: Making email safer with new security warnings in Gmail
-http://googleappsupdates.blogspot.se/2016/08/making-email-safer-with-new-securit
y-warnings-in-gmail.html
*************************** SPONSORED LINKS *****************************
1) Register Now for the What Works Webcast: "A Credit Union Increased Network Security With Network Access Control Based on Great Bay Software Beacon". Tuesday, August 23rd, 2016 at 11:00 AM Eastern with John Pescatore and Jeremy Taylor. http://www.sans.org/info/187775
2) Don't Miss: "Top Office 365 Mail Vulnerabilities: Attacks on your Users Right Now". Wednesday, August 31st, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Michael Landewe, Chris Isbrecht and Kip James. http://www.sans.org/info/187780
3) Help SANS determine how organizations conduct CONTINUOUS VULNERABILITY ASSESSMENT and remediation related to the CIS Critical Security Controls- http://www.sans.org/info/187750
***************************************************************************
THE REST OF THE WEEK'S NEWS
Linux TCP Flaw (August 10 and 11, 2016)
A critical flaw in the Linux operating system could be exploited to hijack websites. The issue affects Linux kernel versions 3.6 and newer. It could be exploited to disrupt TCP connections between arbitrary hosts and inject malware into downloads and webpages. The issue is the result of a Linux standard that was intended effort to make TCP/IP more secure.Read more in:
SC Magazine: USA Today and other popular sites vulnerable to serious hijacking attacks
-http://www.scmagazine.com/linux-vulnerability-could-allow-serious-hijacking-atta
cks-on-popular-sites/article/515614/
ZDNet: Linux TCP flaw lets 'anyone' hijack Internet traffic
-http://www.zdnet.com/article/linux-tcp-flaw-lets-anyone-hijack-internet-traffic/
Ars Technica: Linux bug leaves USA Today, other top sites vulnerable to serious hijacking attacks
-http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other-top-sit
es-vulnerable-to-serious-hijacking-attacks/
The Register: Linux security backfires: Flaw lets hackers inject malware into downloads, disrupt Tor users, etc
-http://www.theregister.co.uk/2016/08/10/linux_tor_users_open_corrupted_communica
tions/
Juniper Releases Hotfixes for IPv6 Router Flaw (August 9, 2016)
Juniper networks has developed hotfixes for a vulnerability affecting firmware on its routers that could be exploited to create denial-of-service conditions. The flaw appears to affect devices that process IPv6 traffic. The issue was first detected in Cisco firmware in May of this year; Cisco made workarounds and a partial fix available last month. The issue is expected to be fixed in a future IPv6 release.[Editor Comments ]
[Williams ]
IPv6 packets are extremely complicated to parse. Some critics cite high numbers of vulnerabilities with IPv6 as a reason to remain on IPv4. However, they should recognize that IPv4 had a large number of vulnerabilities earlier as well, even though it is a much less complex protocol.
Read more in:
Ars Technica: IPv6 router bug: Juniper spins out hotfix to thwart DDoS attacks
-http://arstechnica.com/security/2016/08/ipv6-router-bug-juniper-cisco-ddos-attac
ks/
Juniper: IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability
-https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10749&cat=SIR
T_1&actp=LIST
Microsoft Patch Tuesday (August 9 and 10, 2016)
Microsoft has released nine bulletins addressing more than 30 vulnerabilities in Windows, Edge, Internet Explorer, Office, and other products. Five of the nine bulletins address issues rated critical.Read more in:
The Register: Web pages, Word docs, PDF files, fonts - behold your latest keys to infecting Windows PCs
-http://www.theregister.co.uk/2016/08/09/august_2016_patch_tues/
Computerworld: Microsoft patches 27 flaws in Windows, Office, IE and Edge
-http://www.computerworld.com/article/3105992/security/microsoft-patches-27-flaws
-in-windows-office-ie-and-edge.html
V3: Patch Tuesday: Microsoft releases nine updates as yearly total passes 100
-http://www.v3.co.uk/v3-uk/news/2467589/patch-tuesday-microsoft-releases-nine-upd
ates-as-yearly-total-passes-100
KrebsonSecurity: Got Microsoft? Time to Patch Your Windows
-http://krebsonsecurity.com/2016/08/got-microsoft-time-to-patch-your-windows/
Microsoft: Microsoft Security Bulletin Summary for August 2016
-https://technet.microsoft.com/library/security/ms16-aug
Google Chrome Moving Away from Flash (August 9, 2016)
Starting in September with Chrome 53, Google plans to start to "de-emphasize Flash in favor of HTML5." Google says it will replace Flash with HTML5 as the "default experience" in version 55 of its Chrome browser, which is scheduled for release in December. Content that remains available in Flash only will be click-to-play.Read more in:
The Register: Google Chrome will beat Flash to death with a shovel: Why... won't... you... just... die!
-http://www.theregister.co.uk/2016/08/09/google_chrome_55_flash/
CNET: Google to push Flash closer to extinction with new version of Chrome
-http://www.cnet.com/news/google-to-push-flash-closer-to-extinction-with-new-vers
ion-of-chrome/
Google Blog: Flash and Chrome
-https://chrome.googleblog.com/2016/08/flash-and-chrome.html
Senator Urges DHS to Classify Election Systems as Critical Infrastructure (August 9, 2016)
US Senator Tom Carper (D-Delaware) has sent a letter to the Department of Homeland Security urging that election systems be classified as critical infrastructure, which would grant them greater protections from attacks. In the letter, Carper writes, "I encourage you to move quickly to provide appropriate technical assistance and any other support to state and local jurisdictions that request assistance with the cybersecurity of their election systems."[Editor Comments ]
[Murray ]
I am sure that this proposal is well intended to address the Senator's fear, uncertainty, and doubt, shared to some degree by many. Our feeling about our election system is like our feelings about Congress and public education; everyone hates the system but they love their congressman, their school, and their poll. This proposal is an inappropriate, probably unconstitutional, over-reaching response to a non-problem. Our current system works extremely well. It is robust and resilient, with no single point of failure or compromise. It works as well as it does because of diversity, local supervision, and local physical control. "If it ain't broke, don't fix it."
Read more in:
The Hill: Carper pushes DHS for elections to be classified critical infrastructure
-http://thehill.com/policy/cybersecurity/290941-carper-pushes-dhs-for-elections-t
o-be-classified-critical-infrastructure
Senate: Carper Urges DHS to Protect the US Election Systems from Cyberattacks
-https://www.hsgac.senate.gov/media/minority-media/carper-urges-dhs-to-protect-th
e-us-election-systems-from-cyberattacks
London Police Still Running Windows XP (August 10, 2016)
The London Metropolitan Police (the Met) force is still running Windows XP on 27,000 PCs. The organization is paying Microsoft GBP 1.65 million (US $2.14 million) for custom support through April 2017. Microsoft stopped free support for Windows XP more than two years ago. The Met has migrated some PCs to Windows 8.1. Some are questioning why they have not chosen to migrate to Windows 10.[Editor Comments ]
[Northcutt ]
Forget the support cost, that is money poorly spent. Some issues cannot be dealt with using XP. The MET needs to move to Win 10 ASAP.
Read more in:
ZDNet: How sticking with Microsoft Windows XP is costing London cops over $2m
-http://www.zdnet.com/article/how-sticking-with-microsoft-windows-xp-is-costing-l
ondon-cops-over-2m/
SAP Security Update (August 10, 2016)
SAP has released a security update that includes 13 security notes. The updates address a variety of vulnerabilities, including directory traversal flaws, missing authorization checks, flaws that could be exploited to create denial-of-service conditions, and flaws that could be exploited through cross-site scripting attacks and SQL injection attacks.Read more in:
ZDNet: SAP blasts critical software problems in patch update
-http://www.zdnet.com/article/sap-blasts-critical-software-problems/
SAP: SAP Security Patch Day - August 2016
-http://scn.sap.com/community/security/blog/2016/08/09/sap-security-patch-day--au
gust-2016
Apple Updates iOS to Version 9.3.4 (August 11, 2016)
Apple has released an update for its mobile operating system, iOS 9.3.4, which fixes a memory corruption issue that could be exploited "to execute arbitrary code with kernel privileges." The update blocks a jailbreak bug known as IOMobileFrameBuffer.Read more in:
SC Magazine: Apple blocks Pangu jailbreak bug with OS upgrade 9.3.4
-http://www.scmagazine.com/apple-blocks-pangu-jailbreak-bug-with-os-upgrade-934/a
rticle/515588/
Apple: About the security content of iOS 9.3.4
-https://support.apple.com/en-us/HT207026
INTERNET STORM CENTER TECH CORNER
MSFT Patch Tuesday Summary-https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+August+2016/21357/
Adobe Patch for Adobe Experience Manager
-https://helpx.adobe.com/security/products/experience-manager/apsb16-27.html
Avast Anti Virus Conflict With Windows 10 Anniversary Update
-https://forum.avast.com/index.php?topic=189403.0
Bling Spoofing of TCP Connections CVE-2016-5696
-http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf
Fingerprinting TLS Using TShark
-https://isc.sans.edu/forums/diary/Profiling+SSL+Clients+with+tshark/21361/
Forensics Artifcats on iOS Messaging Apps
-https://isc.sans.edu/forums/diary/Looking+for+the+insider+Forensic+Artifacts+on+
iOS+Messaging+App/21363/
Vulnerable VW Remote Keyless Unlock
-https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentati
on/garcia
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create