SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #71
September 06, 2016
TOP OF THE NEWS
Iran Finds Malware in Petrochemical Plant SystemsUS DoD Will Shuffle Funds to Vet Weapons Systems for Cyber Flaws
THE REST OF THE WEEK'S NEWS
Sophos Revises AV Update to Fix False Positive ProblemAustralian ISPs Get Partial Compensation Grant for Data Retention Costs
Google Fixes Nexus 5X Memory Dump Flaw
Alleged Kernel.org Attacker Arrested
Kaspersky Cuts Ties with Firm that Breached Rival's Database
PoS Vendor Lightspeed Acknowledges Breach
Cisco's Talos Helps Quash Malvertising Campaign
IoT Home Routers Used in Attack
US Defense Department's Supermarket Chain Needs Better Encryption Solution
Ashley Madison Breach Investigation Results
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER********************** Sponsored By Sophos, Inc. ************************
You've gone back and forth on encryption, its benefits and challenges, and you've made the decision: to keep your data truly safe, your organization needs encryption. So what now? What is the best, safest way to implement encryption without disrupting your users' workflow and effectiveness? Learn more with this encryption implementation guide:
http://www.sans.org/info/188457
***************************************************************************
TRAINING UPDATE
--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016
--SANS London Autumn 2016 | London, UK | September 19-24 | https://www.sans.org/event/london-autumn-2016
--Security Leadership Summit & Training | Dallas, TX | September 27 – October 4, 2016 | https://www.sans.org/event/security-leadership-summit-2016
--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA | https://www.sans.org/event/seattle-2016
--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic | https://www.sans.org/event/dfir-prague-2016
--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD | https://www.sans.org/event/baltimore-2016
--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan | https://www.sans.org/event/tokyo-autumn-2016
--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA | https://www.sans.org/event/tysons-corner-2016
--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA | https://www.sans.org/event/san-diego-2016
--Pen Test HackFest Summit & Training | November 2-9, 2016 | Crystal City, VA | https://www.sans.org/event/pen-test-hackfest-2016
--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016
***************************************************************************
TOP OF THE NEWS
Iran Finds Malware in Petrochemical Plant Systems (August 27, 2016)
The head of Iran's civilian defense says they have found and removed malware from systems at two petrochemical plants. Gholamreza Jalalai said the malware was not active and is not the cause of fires recently reported at Iranian petrochemical plants.[Editor Comments ]
[Murray ]
It seems unlikely that there is more malware in Iranian infrastructure than in American. They have just found some of theirs.
Read more in:
New York Times: Iran Detects Malware in Petrochemical Plants, Says Not Linked to Recent Fires
-http://www.nytimes.com/reuters/2016/08/27/technology/27reuters-iran-security-cyb
er.html?_r=0
US DoD Will Shuffle Funds to Vet Weapons Systems for Cyber Flaws (September 1, 2016)
According to recently released Pentagon budget documents, the US Department of Defense (DoD) plans to use US $100 million to detect cyber vulnerabilities in weapons systems. The funds had been earmarked for technology analysis; they will now be reassigned to research, test, and evaluation.Read more in:
Defense News: To Find Cyber Flaws in Weapons Systems, DoD Will Move Millions
-http://www.defensenews.com/articles/dod-cyber-flaws-weapon-systems-reprogramming
*************************** SPONSORED LINKS *****************************
1) Hunting 101 - Back to Basics: Implementing a Proactive Cyber Hunting Approach. Thursday, September 8th, 2016 at 1:00 PM Eastern with Brad Mecha and Dave Shackleford. Register: http://www.sans.org/info/188462
2) What types of threats are driving the IT community into taking action, particularly in Europe? What actions are they are taking? Find out: http://www.sans.org/info/188467
3) Security practitioners are hearing more and more about threat intelligence (TI). But what exactly is it, and how can TI be effectively deployed? Register: http://www.sans.org/info/188472
***************************************************************************
THE REST OF THE WEEK'S NEWS
Sophos Revises AV Update to Fix False Positive Problem (September 5, 2016)
A problematic malware signature in a Sophos antivirus update prevented some users from accessing their computers. The update incorrectly identified a Windows file, winlogon.exe, as potentially malicious. The issue affected users running a certain version of 32-bit Windows 7 SP1. Sophos has released a revised update to fix the problem.[Editor Comments ]
[Ullrich ]
I just scanned 10 malware samples that I received this morning with Sophos Anti Virus. Not a single one was recognized as malicious even after updating the virus definitions. (all are zipped wsf files, so just run of the mill crypto ransomware, nothing fancy). Poor quality control and not being able to keep up with current threats is what makes users move away from anti-malware products.
Read more in:
Computerworld: Sophos' false positive ruins the weekend for some Windows users
-http://www.computerworld.com/article/3116103/security/sophos-false-positive-ruin
s-the-weekend-for-some-windows-users.html
The Register: Sophos users face black screens after false positive snafu
-http://www.theregister.co.uk/2016/09/05/sophos_black_screen_snafu/
Australian ISPs Get Partial Compensation Grant for Data Retention Costs (September 5, 2016)
The Australian government is providing grants to Internet service providers (ISPs) to cover a portion of the costs of complying with data retention requirements. Most providers will receive 80 percent of their costs in compensation. In all, the government is distributing AU $128.4 million (US $98 million).Read more in:
ZDNet: Data-retention grants: Telstra gets $40m, Vodafone $29m, Optus $14m, NBN $1m
-http://www.zdnet.com/article/data-retention-grants-telstra-gets-40m-vodafone-29m
-optus-14m-nbn-1m/
Australian Government Attorney-General's Department: DGRIP Recipients (PDF)
-https://www.ag.gov.au/NationalSecurity/DataRetention/Documents/DRIGP-recipients.
Google Fixes Nexus 5X Memory Dump Flaw (September 2, 4 and 5, 2016)
Google has fixed a flaw in its 5X Nexus smartphones that could be exploited to gain access to vulnerable devices even when they are protected with passwords. The issue, a flaw in the fastboot USB interface, could allow attackers to obtain full memory dumps through Android Debug Bridge. The flaw affects Nexus 5X devices with operating system images 6.0 MDA39E to 6.0.1 MMB29V or running botloaders bhz10i/k. The first version in which the issue is fixed, MHC19J, was released in March.Read more in:
The Register: Google swats Nexus 5X vulnerable fastboot memory dump flaw
-http://www.theregister.co.uk/2016/09/04/google_swats_nexus_5x_vulnerable_fastboo
t_memory_dump_flaw/
ZDNet: Android lockscreen bypass: Google patches flaw on Nexus 5X phones
-http://www.zdnet.com/article/android-lockscreen-bypass-google-patches-flaw-on-ne
xus-5x-phones/
InfoWorld: Google patches critical bug on Android Nexus 5X devices
-http://www.infoworld.com/article/3116149/security/google-patches-critical-bug-on
-android-nexus-5x-devices.html
Alleged Kernel.org Attacker Arrested (September 2, 2016)
Authorities in Florida arrested Donald Ryan Austin following a traffic stop. After the arrest, US federal prosecutors unsealed an indictment filed earlier this year accusing Austin of breaching servers used to maintain and distribute the Linux kernel in August 2011. The indictment alleges that Austin used Linux Kernel Organization system administrator login credentials to gain access to the servers and install backdoors.Read more in:
Ars Technica: feds pin brazen kernel.org intrusion on 27-year-old programmer
-http://arstechnica.com/tech-policy/2016/09/feds-pin-brazen-kernel-org-intrusion-
on-27-year-old-programmer/
The Register: Bloke accused of Linux kernel.org hack nabbed during traffic stop
-http://www.theregister.co.uk/2016/09/02/alleged_linux_hacker_arrested/
Computerworld: Suspects arrested in 5-year-old kernel.org breach
-http://www.computerworld.com/article/3116023/security/suspect-arrested-in-5-year
-old-kernelorg-breach.html
DoJ: Florida Computer Programmer Arrested For Hacking
-https://www.justice.gov/usao-ndca/pr/florida-computer-programmer-arrested-hackin
g
Kaspersky Cuts Ties with Firm that Breached Rival's Database (September 2, 2016)
Kaspersky Lab has cut business ties with Quadsys, a reseller that has recently made headlines for breaking into another company's database to obtain information. Five Quadsys employees recently pleaded guilty to securing unauthorized access to computer material, a violation of the Computer Misuse Act.[Editor Comments ]
[Pescatore ]
Good move by Kaspersky; Intel/McAfee and Sophos (and any other vendors with reseller agreements with Quadsys) should follow suit. Supply chain security/trustability needs to be an even bigger deal for security products and services than for other procurements/relationships.
[Shpantzer ]
Quadsys also carries the Sophos brand and was promoted to Platinum partnership after the guilty pleas by Quadsys personnel.
Read more in:
The Register: Kaspersky 'terminates' deal with reseller Quadsys
-http://www.theregister.co.uk/2016/09/02/kaspersky_drops_quadsys/
PoS Vendor Lightspeed Acknowledges Breach (September 2, 2016)
Point of sale (PoS) vendor Lightspeed has begun notifying its customers of a data breach that may have compromised passwords, customer data, and API keys held in its database. The database holds information about Lightspeed customers, but does not include payment card data. Lightspeed has more than 38,000 customers that use their software in their PoS terminals.Read more in:
The Register: Lightspeed PoS vendor breached, sensitive database tapped
-http://www.theregister.co.uk/2016/09/02/lightspeed_pos_vendor_breached_sensitive
_database_tapped/
Softpedia: Lightspeed PoS Vendor Announces Server Breach
-http://news.softpedia.com/news/lightspeed-pos-vendor-announces-server-breach-507
905.shtml
Cisco's Talos Helps Quash Malvertising Campaign (September 2, 2016)
Cisco's Talos Group, along with domain registrar GoDaddy, took action to stop a malvertising campaign that targeted users around the world. The malicious advertisements led users to a landing page that hosted the Neutrino Exploit Kit. Users could be redirected without having to click on the advertisement. The campaign infected machines with ransomware.[Editor Comments ]
[Shpantzer ]
malware-traffic-analysis.net has many PCAPs of neutrino exploit kit being used to serve up Ransomware. It's also a great way to learn and improve your wireshark skills.
Read more in:
Dark Reading: Cisco's Talos Group Shuts Down Malvertising Campaign
-http://www.darkreading.com/vulnerabilities---threats/ciscos-talos-group-shuts-do
wn-malvertising-campaign/d/d-id/1326810?
SC Magazine: ShadowGate malvertising campaign casts giant shadow across multiple continents
-http://www.scmagazine.com/shadowgate-malvertising-campaign-casts-giant-shadow-ac
ross-multiple-continents/article/520564/
IoT Home Routers Used in Attack (September 1 and 2, 2016)
Internet of Things (IoT) home routers were compromised and used to launch an application-level distributed denial-of-service (DDoS) attack against an unnamed website. Security company Sucuri detected the Layer 7 HTTPS flood attack, which used more than 11,000 compromised devices.[Editor Comments ]
[Murray ]
Most of the security discussion around the "Internet of things" seems to focus around the abuse and misuse of its intended function, whether toasting bread or dispensing medicine, rather than, as in this case, on the more likely misuse of the gratuitous general purpose computing function included with it for spam, denial of service attacks, or brute force attacks against reusable passwords or crypto keys.
Read more in:
SC Magazine: IoT home routers used to launch application-level DDoS attack
-http://www.scmagazine.com/iot-home-routers-used-to-launch-application-level-ddos
-attack/article/520539/
Sucuri: IoT Home Router Botnet Leveraged in Large DDoS Attack
-https://blog.sucuri.net/2016/09/iot-home-router-botnet-leveraged-in-large-ddos-a
ttack.html
US Defense Department's Supermarket Chain Needs Better Encryption Solution (September 2, 2016)
The US Defense Commissary Agency has released a request for information (RFI) from vendors for an Enterprise Encryption and Key Management System. Currently, encryption keys for Defense Commissary Agency databases are stored alongside the data they are meant to protect.Read more in:
Nextgov: Military supermarket chain's encryption setup is 'unacceptable,' commissary says
-http://www.nextgov.com/cybersecurity/2016/09/military-supermarket-chains-encrypt
ion-setup-unacceptable-commissary-says/131241/
Ashley Madison Breach Investigation Results (August 24, 2016)
Australian and Canadian Privacy Commissioners have released a report detailing the results of their joint investigation of the Ashley Madison breach. Australian Privacy Commissioner Timothy Pilgrim said that "the findings ... reveal the risks to businesses when they do not have a dedicated risk management process in place to protect personal information."[Editor Comments ]
[Pescatore ]
The summary of the report focuses on lack of a "risk management process" but the details point out that the breach started with the external attacker obtaining internal access credentials, following by the usual steps of internal discovery, compromise and exfiltration of the most sensitive data held by the company - all of which went unnoticed. I don't think Ashley Madison's business managers and app developers needed a "dedicated profit management process" to develop the apps that convinced people to pay money to let Ashley Madison host their sensitive info, and the security side should have known protecting the crown jewels from common forms of attack was basic security hygiene. It also appears Ashley Madison had only brought on a CISO not long before the breach and wasn't living up to its own promises to delete user data. Bad security hygiene was likely baked in to many processes.
Read more in:
OAIC: Joint investigation of Ashley Madison by the Privacy Commissioner of Canada and the Australian Privacy Commissioner and Acting Australian Information Commissioner
-https://www.oaic.gov.au/privacy-law/commissioner-initiated-investigation-reports
/ashley-madison
OAIC: Ashley Madison data breach: joint findings released
-https://www.oaic.gov.au/media-and-speeches/media-releases/ashley-madison-data-br
each-joint-findings-released
INTERNET STORM CENTER TECH CORNER
Apple Patches OS X and Safari for Trident/Pegasus Vulnerabilities-https://support.apple.com/en-us/HT201222
Malware Delivered via ".pub" Files
-https://isc.sans.edu/forums/diary/Malware+Delivered+via+pub+Files/21443/
Sophos Anti Virus False Positive Causes Blue Screen of Death
-https://community.sophos.com/kb/en-us/125000
Adobe Reviving Flash for Linux
-https://blogs.adobe.com/flashplayer/2016/08/beta-news-flash-player-npapi-for-lin
ux.html
Google Patches Nexuse 5X Vulnerability
-https://securityintelligence.com/undocumented-patched-vulnerability-in-nexus-5x-
allowed-for-memory-dumping-via-usb/
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
