SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #73

September 13, 2016

TOP OF THE NEWS

PCI Council Releases New Card Reader Standards
Cybersecurity Rules for Commodities Firms, Exchanges
US Investigating Reported Russian Interference in US Elections

THE REST OF THE WEEK'S NEWS

ING Bank Fire Extinguisher Drill Causes Data Center Outage
Compromised FTP Servers Used to Mine Cryptocurrency
Two Arrested in Israel in Connection with vDOS DDoS-as-a-Service
Linode Fights off More DDoS Attacks
FDA Looking Into Reported Flaws in St. Jude Medical Devices
Researchers Say 911 System Vulnerable
Report: UK ISPs Say Government Surveillance Could Weaken Network Security
Correction: Google Chrome HTTP Warning Comment

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored By AlienVault ************************

Learn how to identify distributed denial of service (DDoS) and brute force attacks. Get your copy of "Beginner's Guide to Brute Force & DDoS Attacks: What to Do When the Barbarians Are at the Door."
http://www.sans.org/info/188522

***************************************************************************

TRAINING UPDATE

--SANS London Autumn 2016 | London, UK | September 19-24 |
https://www.sans.org/event/london-autumn-2016

--Security Leadership Summit & Training | Dallas, TX | September 27 - October 4, 2016 |
https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA |
https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic |
https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD |
https://www.sans.org/event/baltimore-2016

--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan |
https://www.sans.org/event/tokyo-autumn-2016

--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA |
https://www.sans.org/event/tysons-corner-2016

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |
https://www.sans.org/event/san-diego-2016

--Pen Test HackFest Summit & Training | November 2-9, 2016 | Crystal City, VA |
https://www.sans.org/event/pen-test-hackfest-2016

--Healthcare Cybersecurity Summit & Training | November 14-21, 2016 | Houston, TX |
https://www.sans.org/event/healthcare-cyber-security-summit-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC |
https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA |
https://www.sans.org/event/security-east-2017

---

TOP OF THE NEWS

PCI Council Releases New Card Reader Standards (September 12, 2016)

The Payment Card Industry (PCI) Security Standards Council has released a new standard aimed at reducing fraud originating at point-of-sale terminals. To comply with the PCI PIN Transaction Security Point-of-Interaction Modular Security Requirements version 5.0, point-of-sale card readers must support and cryptographically authenticate firmware updates; must be tamper-proof; and must not leak keys through side-channel monitoring. The new standard will take effect in September 2017.

Cybersecurity Rules for Commodities Firms, Exchanges (September 8 & 9, 2016)

The Commodity Futures Trading Commission (CFTC) has established new cybersecurity rules for information technology systems at US commodities and derivatives firms, exchanges, and clearinghouses. To meet the requirements, organizations' systems must undergo vulnerability and penetration testing, security incident response and controls testing, and enterprise technology risk assessment.

US Investigating Reported Russian Interference in US Elections (September 5, 2016)

Intelligence and law enforcement agencies in the US are investigating evidence that Russia may be interfering with November's general election to undermine voter confidence. The focus of the investigation is to determine the scope of the effort as well as analyzing its intent. Director of National Intelligence James Clapper is coordinating the investigation.

---

*************************** SPONSORED LINKS *****************************

1) What You Need to Know to Keep Your Organization Protected [Live Webinar] Register: http://www.sans.org/info/188527

2) Get a greater understanding of OpenSCAP and tools to help apply industry standards to your production servers. Register: http://www.sans.org/info/188532

3) SANS 2016 Security Analytics & Intelligence Survey is now OPEN! Take the survey and enter to win a $400 Amazon Gift Card. http://www.sans.org/info/188537

---

THE REST OF THE WEEK'S NEWS

ING Bank Fire Extinguisher Drill Causes Data Center Outage (September 12, 2016)

ING Bank's Romanian customers were unable to access their accounts through ATMs or online over the weekend due to a data center outage. The problem was reportedly caused by a gas-based fire extinguisher test in a data center that caused "unexpected" damage to servers. While ING has not provided details about the cause of the damage, others have suggested that the problem may have been due to the noise generated by the test. There is some evidence to back up the assertion that extremely loud noises can damage hard disks. The outage lasted 10 hours and left the bank unable to communicate with its customers.

[Editor Comments ]


[Shpantzer ]
Question is, despite some or all of the servers being damaged in one data center, why did failover intra or inter data center not work? (Assuming there was a failover plan here...)
Read more in:
BBC: Fire drill knocks ING bank's data centre offline

-http://www.bbc.com/news/technology-37337868

Compromised FTP Servers Used to Mine Cryptocurrency (September 12, 2016)

According to a report from Sophos, infected file transfer protocol (FTP) servers are being used to mine cryptocurrency called Monero. A large number of the infected devices are Seagate network attached storage (NAS) appliances. Sophos estimates that the malware, known as Mal/Miner-C has already mined nearly 76,600 euros (US $86,000).
Read more in:
Ars Technica: Thousands of infected FTP servers net attackers $88k in cryptocurrency

-http://arstechnica.com/security/2016/09/thousands-of-infected-ftp-servers-net-at
tackers-88k-in-cryptocurrency/
Computerworld: Thousands of Seagate NAS boxes host cryptocurrency mining malware

-http://www.computerworld.com/article/3119109/security/thousands-of-seagate-nas-b
oxes-host-cryptocurrency-mining-malware.html
The Register: SOHOpeless Seagate NAS boxen become malware distributors

-http://www.theregister.co.uk/2016/09/12/sohopeless_seagate_nas_boxen_become_malw
are_distributors/

Two Arrested in Israel in Connection with vDOS DDoS-as-a-Service (September 10 & 12, 2016)

Israeli authorities have arrested two people for allegedly operating vDOS, a company that offers distributed denial-of-service (DDoS) attacks as a service. Itay Huri and Yarden Bidani were arrested in connection with an FBI investigation. vDOS itself was breached, revealing information about its customers.

[Editor Comments ]


[Shpantzer ]
The real story is of the BGP hijacking hackback in the latter part of this article:
-http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/
#more-36288">
-http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/
#
more-36288
Read more in:
KrebsonSecurity: Alleged vDOS Proprietors Arrested in Israel

-http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/
The Register: Israeli Pentagon DDoSers explain their work, get busted by FBI

-http://www.theregister.co.uk/2016/09/12/israeli_pentagon_ddosers_write_techical_
paper_get_busted_by_fbi/
V3: DDoS-for-hire service vDOS hacked, two alleged creators arrested

-http://www.v3.co.uk/v3-uk/news/2470441/two-18-year-olds-arrested-in-israel-after
-hack-on-ddos-for-hire-service-vdos

Fights off More DDoS Attacks (September 11, 2016)

Cloud hosting firm Linode was targeted by distributed denial-of-service (DDoS) attacks earlier this month. The company experienced a similar series of attacks in late December 2015 and early January 2016. Those attacks caused significant problems for Linode. The company appears to have managed this round of attacks more effectively. The attacks affected data centers in Singapore, Atlanta, and Tokyo.
Read more in:
The Register: Linode fends off multiple DDOS attacks

-http://www.theregister.co.uk/2016/09/11/linode_fends_off_multiple_ddos_attacks/

FDA Looking Into Reported Flaws in St. Jude Medical Devices (September 9, 2016)

The US Food and Drug Administration (FDA) will conduct an investigation into allegations of vulnerabilities in St. Jude Medical pacemakers and defibrillators. The allegations came to light when MedSec Holdings and Muddy Waters teamed up to release a report detailing the problems at a moment that benefitted a short-sell investment strategy. The FDA also noted that MedSec and Muddy Waters acted in a way that violated the agency's advice regarding the disclosure of vulnerabilities in medical devices.
Read more in:
Reuters: U.S. health regulator plans 'thorough' probe of St. Jude case

-http://uk.reuters.com/article/us-st-jude-medical-cyber-fda-idUKKCN11E32Y

Researchers Say 911 System Vulnerable (September 9 & 12, 2016)

According to researchers from Israel's Ben Gurion University, 911 emergency call systems could be attacked, making it difficult if not impossible for people with emergencies to reach dispatchers. The researchers say that a telephony denial-of-service (TDoS) attack against 911 call centers using infected cell phones could render an entire state's 911 system inaccessible. Building redundancy into emergency call systems could help protect them from such attacks.

[Editor Comments ]


[Northcutt ]
This is not a new problem. We dealt with the 911 worm back in April 2000:

-https://www.giac.org/paper/gsec/38/911-worm/100338
Read more in:
Washington Post: How America's 911 emergency response system can be hacked

-https://www.washingtonpost.com/news/the-switch/wp/2016/09/09/how-americas-911-em
ergency-response-system-can-be-hacked/
CNET: 911 could face its own emergency: Hackers

-http://www.cnet.com/news/911-could-face-its-own-emergency-hackers/
GCN: Is an attack on emergency services just one call away?

-https://gcn.com/articles/2016/09/12/tdos-911.aspx

Report: UK ISPs Say Government Surveillance Could Weaken Network Security (September 9, 2016)

According to a report from The Internet Service Providers' Association (ISPA), the majority of UK Internet service providers (ISPs) say they are concerned that government surveillance will undermine their network security and increase the likelihood that their networks will be targets of attacks. ISPs also say they would like to see the government focus on raising consumer awareness and creating greater consistency in law enforcement's response to reported cyber incidents.
Read more in:
eWeek: Government Surveillance Poses Cyber-security Threats, ISPs Say

-http://www.eweek.com/security/government-surveillance-poses-cyber-security-threa
ts-isps-say.html
Ars Technica: Cyber attacks: Educate cops but don't bring in new laws, ISPs tell UK gov't

-http://arstechnica.co.uk/tech-policy/2016/09/cyber-attacks-educate-cops-no-new-l
aws-ispa-to-govt/

Correction: Google Chrome HTTP Warning Comment In NewsBites Volume 18, No. 72, a portion of Dr. Johannes Ullrich's comment was inadvertently omitted. Here is the full version of the comment regarding Google's announcement that its Chrome browser will soon

Google will start warning users about sites using HTTP rather than HTTPS early next year. When the stable version of Chrome 56 is released at the end of January 2017, the browser will warn users when sites send passwords or payment card data over non-secure, HTTP connections. The warnings are "part of a long-term plan to mark all HTTP sites as non-secure," according to Google's blog post.
Editor's Note

[Dr. Johannes Ullrich ]
These warnings, which will be displayed in the URL bar, solve a long outstanding problem: while SSL errors are very visible to the user, the absence of SSL is not specifically advertised. Attack tools like sslstrip have taken advantage of this flaw, and many phishing sites do not have to bother with setting up SSL. This new indicators should make it easier to educate users to spot insecure sites. But it also puts more pressure on legitimate websites to properly implement SSL.

[Stephen Northcutt ]
The security.googleblog.com is the most important link. By phasing the warnings in, they are trying to maintain rapport with rank and file users while raising awareness. Most users will agree that unencrypted credit card fields are a bad idea and they plan to go from there.

[John Pescatore ]
I'd rather see Google donate some percentage of its advertising to "public service announcements" working to educate and change user behaviors than add more popups. The browser (and certificate) industry as a whole has failed to educate users on things like what red/green URLs mean or what it means when certificate warning pop up.
Read more in:

-http://www.computerworld.com

-http://www.cnet.com

-http://www.theregister.co.uk

-https://security.googleblog.com

---

INTERNET STORM CENTER TECH CORNER

Upgrading Security to MacOS Sierra
-https://isc.sans.edu/forums/diary/Getting+Ready+for+macOS+Sierra+Upgrade+Securel
y/21465/

PCI PIN Transation Security / Point of Interaction Update
-https://www.pcisecuritystandards.org/documents/PCI_PTS_POI_SRs_v5.pdf

IMAPS Scans
-https://isc.sans.edu/forums/diary/Ongoing+IMAP+Scan+Anyone+Else/21463/

If it's Free, YOU are the Product
-https://isc.sans.edu/forums/diary/If+its+Free+YOU+are+the+Product/21469/

Weak MySQL Configurations Can Lead To Privilege Escalation
-http://legalhackers.com/advisories/MySQL-Exploit-Remote-Root-Code-Execution-Priv
esc-CVE-2016-6662.html

Full Disk Encryption Ransomware
-https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-
member-marinho?trk=prof-post

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create