SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #69

August 30, 2016

TOP OF THE NEWS

Attack on State Election Databases Prompts FBI Warning
Election Systems Security: Report
Pennsylvania and Georgia Decline DHS Voting System Security Help

THE REST OF THE WEEK'S NEWS

Kaspersky Patches Driver Flaws
Chinese Certificate Authority Accidentally Issued Base Certificates
Medical Device Flaw Disclosure Raises Ethical Questions
Thailand ATM Attacks Used Ripper Malware
Man Found Guilty in Restaurant Point-of-Sale Payment Card Theft Scheme

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

********************* Sponsored By Sophos Inc. *************************

You've gone back and forth on encryption, its benefits and challenges, and you've made the decision: to keep your data truly safe, your organization needs encryption. So what now? What is the best, safest way to implement encryption without disrupting your users' workflow and effectiveness? Learn more with this encryption implementation guide:
http://www.sans.org/info/188267

***************************************************************************

TRAINING UPDATE

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 |
https://www.sans.org/event/brussels-autumn-2016

--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 |
https://www.sans.org/event/crystal-city-2016

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 |
https://www.sans.org/event/network-security-2016

--SANS London Autumn 2016 | London, UK | September 19-24 |
https://www.sans.org/event/london-autumn-2016

--Security Leadership Summit & Training | Dallas, TX | September 27 - October 4, 2016 |
https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA |
https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic |
https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD |
https://www.sans.org/event/baltimore-2016

--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan |
https://www.sans.org/event/tokyo-autumn-2016

--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA |
https://www.sans.org/event/tysons-corner-2016

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |
https://www.sans.org/event/san-diego-2016

--Pen Test HackFest Summit & Training | November 2-9, 2016 | Crystal City, VA |
https://www.sans.org/event/pen-test-hackfest-2016

---

TOP OF THE NEWS

Attack on State Election Databases Prompts FBI Warning (August 29, 2016)

Earlier this month, the FBI's Cyber Division issued a flash alert warning that election databases in two US states have suffered intrusions, likely by foreign attackers. The agency is investigating both incidents. In at least one of the intrusions, attackers were able to exfiltrate data. The alert lists eight IP addresses used in the attacks. The attacks occurred in Illinois and Arizona. Brian Kalkin, vice president of operations of the Center for Internet Security, which operates the multistate information sharing and analysis center (MS-ISAC) expressed concern that intruders could alter or delete data.

Election Systems Security: Report (August 29, 2016)

The Institute for Critical Infrastructure Technology has released a report called "Hacking Elections is Easy! Part 1: Tactics, Techniques, and Procedures." The report concludes that "electronic voting systems are nothing but bare-bone, decade old computer systems that lack even rudimentary endpoint security."

Pennsylvania and Georgia Decline DHS Voting System Security Help (August 26, 2016)

Pennsylvania and Georgia have rejected election system security help from the US Department of Homeland Security (DHS). DHS is offering to scan states' elections systems for vulnerabilities. A Pennsylvania Department of State spokesperson said that the state feels confident that it can provide what is needed. The Georgia Secretary of State cited concerns about state sovereignty.

---

THE REST OF THE WEEK'S NEWS

Kaspersky Patches Driver Flaws (August 29, 2016)

Kaspersky has fixed several security issues that could be exploited to crash its Internet Security suite. Three of the vulnerabilities, which were detected by Cisco's Talos Group, could be exploited to cause denial-of-service conditions that crash software. A fourth vulnerability could be exploited "to leak privileged tokens or kernel memory addresses."
Read more in:
ZDNet: Kaspersky fixes antivirus crash bug:
-http://www.zdnet.com/article/kaspersky-fixes-antivirus-crash-bug/
SC Magazine: Kaspersky patches DoS and kernel flaws affecting drivers:
-http://www.scmagazine.com/kaspersky-patches-dos-and-kernel-flaws-affecting-drive
rs/article/519120/
Talos: Vulnerability Spotlight: Kernel Information Leak & Multiple DOS Issues Within Kaspersky Internet Security Suite:
-http://blog.talosintel.com/2016/08/vulnerability-spotlight-multiple-dos.html

Chinese Certificate Authority Accidentally Issued Base Certificates (August 29, 2016)

Chinese certificate authority WoSign inadvertently gave base certificates for GitHub and The University of Central Florida to a university student. The incident occurred in the summer of 2015. The person who reported the problem noted that "a problem with WoSign's free certificate service ... allowed
[the applicant ]
to get a certificate for the base domain if they were able to prove control of a subdomain."
Read more in:
The Register: Chinese CA hands guy base certificates for GitHub, Florida uni:
-http://www.theregister.co.uk/2016/08/29/chinese_ca_hands_guy_base_certificates_f
or_github_florida_uni/

Medical Device Flaw Disclosure Raises Ethical Questions (August 26 & 29, 2016)

Security company MedSec Holdings enlisted the help of Muddy Waters Capital to deal a harsh blow to a medical device manufacturer St. Jude Medical. MedSec notified Muddy Waters of several security issues in St. Jude devices that were deemed to be putting patients at risk. Muddy Waters "shorted" St. Jude stock based on the information, which it released on its website. MedSec will profit financially from its decision to handle the vulnerability disclosure in this way. MedSec CEO Justine Bone said her company made the decision it did to "spur St. Jude Medical into action." St. Jude has issued a statement refuting MedSec's claims.

[Editor Comments ]

[Pescatore ]
Exposing a product's vulnerability before notifying the product vendor violates well established and well understood norms around responsible disclosure. Any company willfully violating those norms deserves at least a trip to the procurement penalty box - enriching short sellers at the expense of everyone else definitely doesn't demonstrate "put me in your supply chain" type business values.

[Murray ]
Disclosure that is punitive to one party and remunerative to another is ethically questionable on its face. It is fascinating to listen to the parties to this scheme attempt to rationalize and justify their behavior.
Read more in:
Ars Technica: Trading in stock of medical device paused after hackers team with short seller:
-http://arstechnica.com/security/2016/08/trading-in-stock-of-medical-device-pause
d-after-hackers-team-with-short-seller/
The Register: Muddying the waters of infosec: Cyber upstart, investors short medical biz - then reveal bugs:
-http://www.theregister.co.uk/2016/08/26/muddy_waters_medsec_st_jude_security_fla
ws/
The Hill: Unusual stock move shakes up cyber community:
-http://thehill.com/policy/cybersecurity/293459-security-community-shuns-celebrat
es-controversial-med-research-move
Computerworld: Medical device security disclosure ignites an ethics firestorm:
-http://www.computerworld.com/article/3113385/security/medical-device-security-ig
nites-an-ethics-firestorm.html
St. Jude Medical: St. Jude Statement:
-http://investors.sjm.com/investors/financial-news/news-release-details/2016/St-J
ude-Medical-Refutes-Muddy-Waters-Device-Security-Allegations-and-Reinforces-Secu
rity-of-Devices-and-Commitment-to-Patient-Safety/default.aspx

Thailand ATM Attacks Used Ripper Malware (August 25 & 29, 2016)

Earlier this summer, thieves stole more than 12 million Baht (US $347,000) from ATMs in Thailand. At least 21 Government Savings Bank of Thailand ATMs were infected with malware that caused them to disconnect from bank's network. After learning of the attack, the bank shut down 3,000 of its 7,000 cash machines. The malware that was likely used in the attack is known as Ripper.
Read more in:
Computerworld: Sophisticated malware possibly tied to recent ATM heists in Thailand:
-http://www.computerworld.com/article/3113485/security/sophisticated-malware-poss
ibly-tied-to-recent-atm-heists-in-thailand.html
V3: Gang behind $2.2m Taiwan ATM thefts strikes again in Thailand:
-http://www.v3.co.uk/v3-uk/news/2469004/gang-behind-usd22m-taiwan-atm-thefts-stri
kes-again-in-thailand

Man Found Guilty in Restaurant Point-of-Sale Payment Card Theft Scheme (August 25 & 27, 2016)

A federal jury in Seattle has found Roman Seleznev guilty of charges including intentional damage to a protected computer, obtaining information from a protected computer, and possession of 15 or more unauthorized access devices for his role in a payment card theft scheme. Seleznev installed malware on point-of-sale systems at restaurants in the US. He used the malware to steal numbers for more than two million payment card accounts and sold the information. The scheme ran from 2009 through 2013. Seleznev was arrested in 2014.

[Editor Comments ]

[Murray ]
We need to raise the cost of attack by eliminating the vulnerability of the magnetic stripe and reducing the currency of the credit card account number. Apple Pay, Android Pay, and Samsung Pay at the point of sale and PayPal, Visa Checkout, Master Pass, and other payment proxies for online sales. Consumers and merchants will prefer these for speed and convenience; reduced crime will be a bonus.
Read more in:
Ars Technica: Hacker who stole 2.9 million credit card numbers is Russian lawmaker's son:
-http://arstechnica.com/security/2016/08/hacker-who-stole-2-9-million-credit-card
-numbers-is-russian-lawmakers-son/
Computerworld: US convicts Russian hacker in credit card theft scheme:
-http://www.computerworld.com/article/3112694/security/us-convicts-russian-hacker
-in-credit-card-theft-scheme.html

Officials Say Cybersecurity Needs Long-Term Budgeting (August 25, 2016)

Speaking on a panel at FedScoop's Lowering the Cost of Government with IT Summit, current and former US government cybersecurity officials said that budgeting for cybersecurity on an annual basis can actually undermine security. Thomas McDermott, acting deputy assistant secretary for cyber policy at the Department of Homeland Security (DHS) pointed out that having an annual budget often means patching and remediating infrastructure that is basically "indefensible," rather than investing in necessary upgrades.

[Editor Comments ]

[Pescatore ]
Federal government rules and regulations often undermine rational behavior; it would be great to see reform. Even without regulatory reform, government agencies can take simple steps to improve the security of the products they buy and the systems they have others build. The most valuable step is making the acceptance and evaluation criteria include actual security testing vs. more security documentation. No procurement reform required. Someday we'll have corn that never has worms in it; meanwhile I'll keep peeling back the husk before I throw it in the shopping cart.

[Murray ]
Budgeting is too often seen merely as a cost control mechanism rather than a planning mechanism that can be used to encourage desired investment.

[Northcutt ]
This could have been phrased better. McDermott, is correct saying, "Cybersecurity is a key element of fiscal security," he said. "We've seen that the costs of incidents are huge, both financially and reputation ally." However, spending more and being reactive does not automatically equate to better security, it is about doing the right things, (and hiring the right people):

-http://www.csoonline.com/article/3051123/leadership-management/cybersecurity-spe
nding-more-does-not-necessarily-mean-better.html

-http://www.wsj.com/articles/financial-firms-bolster-cybersecurity-budgets-141618
2536

-http://www.securitymagazine.com/articles/87022-cybersecurity-budgets-not-rising-
in-line-with-threats

-http://federalnewsradio.com/cybersecurity/2016/05/2017-budget-make-break-cyberse
curity/
Read more in:
FCW: Officials: Yearly budgeting stifles cybersecurity:
-https://fcw.com/articles/2016/08/25/cybersecurity-panel-budgeting-carberry.aspx

---

INTERNET STORM CENTER TECH CORNER

Spam with Obfuscated Javascript
-https://isc.sans.edu/forums/diary/Spam+with+Obfuscated+Javascript/21415/

Another Day - Another Ransomware Sample
-https://isc.sans.edu/forums/diary/Another+Day+Another+Ransomware+Sample/21413/

OpenSSL Update
-https://www.openssl.org/news/openssl-1.1.0-notes.html

Opera Sync Server Breached
-https://www.opera.com/blogs/security/2016/08/opera-server-breach-incident/

Fake Windows Update Delivers Ransomware
-http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-fi
les-while-pretending-to-be-windows-update/

Dropbox Resets Old Passwords After Data Leak
-https://www.dropbox.com/help/9257?oref=e

CA WoSign Law Validation Policy
-https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I

FBI Warns Of Vulnerabilities in State Election Websites
-https://www.scribd.com/document/322473050/FBI-Flash-Aug-2016#from_embed

Bug in "Keeper" Password Safe Allows Attackers to Steal Passwords
-https://bugs.chromium.org/p/project-zero/issues/detail?id=917

Bank ATMs Compromised via EMV Chip: Ripper is "normal" Windows malware, but it allows an attacker to compromise an ATM by inserting a special card with a "malicious" EMV chip on it.
-https://www.fireeye.com/blog/threat-research/2016/08/ripper_atm_malwarea.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create