Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #74

September 16, 2016

TOP OF THE NEWS

New York Financial and Insurance Companies to Get Cybersecurity Requirements
US Officials Urge States to Bolster Voting System Security
National Audit Office Finds UK Government Cybersecurity Wanting
DNSSEC Will Generate New Root Zone Key Signing Key

THE REST OF THE WEEK'S NEWS

Chrome OS Verified Access API
Google Chrome 54 Beta Includes Encryption to Guard Against Quantum Attack
Volkswagen's New Cybersecurity Firm to Address Automotive Industry Concerns
Adobe Patches Flaws in Flash and Digital Edition
Microsoft Patch Tuesday
Olympic Athlete Doping Test Results Leaked

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


********************* Sponsored By Trend Micro Inc. ********************

Check out Trend Micro's mid-year 2016 security roundup report for the top threats that affected organizations globally during that timeframe.
http://www.sans.org/info/188562

***************************************************************************

TRAINING UPDATE

--Security Leadership Summit & Training | Dallas, TX | September 27 - October 4, 2016 |
https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA |
https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic |
https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD |
https://www.sans.org/event/baltimore-2016

--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan |
https://www.sans.org/event/tokyo-autumn-2016

--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA |
https://www.sans.org/event/tysons-corner-2016

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |
https://www.sans.org/event/san-diego-2016

--Pen Test HackFest Summit & Training | November 2-9, 2016 | Crystal City, VA |
https://www.sans.org/event/pen-test-hackfest-2016

--Healthcare Cybersecurity Summit & Training | November 14-21, 2016 | Houston, TX |
https://www.sans.org/event/healthcare-cyber-security-summit-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC |
https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA |
https://www.sans.org/event/security-east-2017

TOP OF THE NEWS

New York Financial and Insurance Companies to Get Cybersecurity Requirements (September 15, 2016)

Financial institutions and insurance companies operating within the state of New York will face new cybersecurity regulations later this year. In addition to establishing a cybersecurity program and adopting a written cybersecurity policy, the rules include creating "policies and procedures to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties." The rules will be published in the New York State register on September 28 and there will be a 45-day notice and public comment period.

US Officials Urge States to Bolster Voting System Security (September 15, 2016)

US federal officials are urging state and local governments to take advantage of help from the Department of Homeland Security (DHS) to secure their voting systems. While citing recent breaches of voter registrations systems in Illinois and Arizona as reasons to be concerned, the government has refrained from attributing the breaches to a particular group.

National Audit Office Finds UK Government Cybersecurity Wanting (September 14 & 15, 2016)

According to a report from the UK's National Audit Office (NAO), the government's approach to reporting cybersecurity breaches is "chaotic." UK government departments experienced nearly 9,000 breaches in 2015, but lacks clear cybersecurity procedures for reporting and managing the incidents. The report notes, "None of the departments we interviewed understood the specific roles of the various bodies involved, making it difficult to identify any single arbiter of standards or guidance."

DNSSEC Will Generate New Root Zone Key Signing Key (August 25 & September 15, 2016)

The Internet Corporation for Assigned Names and Numbers (ICANN) plans to generate a new top-level, Root Zone Key Signing Key (KSK) next fall. This will be the first time the key has been changed since its inception in 2010. Admins will need to update their systems.

*************************** SPONSORED LINKS *****************************

1) Get a greater understanding of OpenSCAP and tools to help apply industry standards to your production servers. Register: http://www.sans.org/info/188567

2) Hardening Microservices Security: Building a Layered Defense Strategy. Wednesday, September 21st. Register: http://www.sans.org/info/188572

3) Webcast: "The Human Factor in the Age of Cyber Conflict" Thursday, September 22nd. Register: http://www.sans.org/info/188577

THE REST OF THE WEEK'S NEWS

Chrome OS Verified Access API (September 15 & 16, 2016)

Google has introduced the Verified Access API, which organizations can use to cryptographically validate Chrome OS devices and make sure that the devices are compliant with security policies before accessing the network. The API uses digital certificates stored in the Trusted Platform Module (TPM).

[Editor Comments ]


[Pescatore ]
NAC (Network Access Control) is a very good thing, but unless you are 100% Chromebooks, this falls into the YAAPI (Yet Another API) problem because it doesn't help you with Windows, iOS or other OS-based devices. NAC vendors will likely add support for Google's API - having a common, manageable approach to NAC for all managed and unmanaged devices is waaay better than trying to have multiple device specific strategies.
Read more in:
Computerworld: Chrome OS gets cryptographically verified enterprise device management
-http://www.computerworld.com/article/3120771/security/chrome-os-gets-cryptograph
ically-verified-enterprise-device-management.html

ITNews: Chrome OS adds enterprise identity verification
-http://www.itnews.com.au/news/chrome-os-adds-enterprise-identity-verification-43
7427

Google Chrome 54 Beta Includes Encryption to Guard Against Quantum Attack (September 15, 2016)

Google has released a beta version of its Chrome browser that includes a feature that aims to protect user data even when faced with quantum attacks. The Chrome 54 beta can encrypt data being sent to and from sites with technology known as CECPQ1.

[Editor Comments ]


[Northcutt ]
This is experimental. It is used in conjunction with standard elliptic curve cryptography in case an easy solution to the "New Hope" algorithm is found.
-https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html
-https://eprint.iacr.org/2015/1092.pdf
Read more in:
CNET: Chrome updated so tomorrow's quantum computers can't crack today's encryption
-https://www.cnet.com/news/chrome-updated-so-tomorrows-quantum-computers-cant-cra
ck-todays-encryption/

Volkswagen's New Cybersecurity Firm to Address Automotive Industry Concerns (September 14 & 15, 2016)

Volkswagen, along with three Israeli cybersecurity specialists, has started a new company dedicated to cybersecurity for automobiles. Cymotive Technologies plans to "develop advanced cyber-security solutions for next-generation connected cars and mobile services." In a related story, earlier this week, US legislators called for the National Highway Traffic Safety Administration (NHTSA) to "convene an industry-wide effort to develop a plan of action for addressing the risk posed by the existence of the OBD-II port in the modern vehicle system."
Read more in:
Computerworld: Volkswagen starts a new cybersecurity firm to prevent car hacking
-http://www.computerworld.com/article/3120368/security/volkswagen-starts-a-new-cy
bersecurity-firm-to-prevent-car-hacking.html

ZDNet: Volkswagen launches new cybersecurity firm to tackle car security
-http://www.zdnet.com/article/volkswagen-launches-new-cybersecurity-firm-to-tackl
e-car-security/

Computerworld: Government, carmakers more worried than ever about vehicle cyber attacks
-http://www.computerworld.com/article/3120390/car-tech/government-carmakers-more-
worried-than-ever-about-vehicle-cyber-attacks.html

Volkswagen: Press Release
-https://www.volkswagen-media-services.com/en/detailpage/-/detail/Volkswagen-ente
rs-into-cooperation-with-top-Israeli-experts-to-establish-an-automotive-cyber-se
curity-company/view/3949027/7a5bbec13158edd433c6630f5ac445da?p_p_auth=ih9Y5bpe

US House Energy and Commerce Committee: Press Release
-https://energycommerce.house.gov/news-center/press-releases/committee-leaders-re
quest-nhtsa-convene-industry-wide-effort-develop-plan

Adobe Patches Flaws in Flash and Digital Edition (September 14, 2016)

Adobe has released security updates for its Flash Player and Digital Edition products. The updates for Flash address more than two dozen vulnerabilities and are available for Windows, Mac, and Linux. The majority of the Flash vulnerabilities could be exploited to allow remote code execution; three others could be exploited to bypass security features. The update for Digital Editions addresses eight memory corruption vulnerabilities, all of which could be exploited to allow remote code execution.
Read more in:
Computerworld: Adobe fixes critical flaws in Flash Player and Digital Editions
-http://www.computerworld.com/article/3120404/security/adobe-fixes-critical-flaws
-in-flash-player-and-digital-editions.html

KrebsonSecurity: Adobe, Microsoft Push Critical Updates
-http://krebsonsecurity.com/2016/09/adobe-microsoft-push-critical-updates-3/
Adobe: Security Bulletin for Flash Player
-https://helpx.adobe.com/security/products/flash-player/apsb16-29.html
Adobe: Security Bulletin for Digital Editions
-https://helpx.adobe.com/security/products/Digital-Editions/apsb16-28.html

Microsoft Patch Tuesday (September 14, 2016)

Microsoft's security updates for September address at least 50 vulnerabilities in a variety of products. Seven of the 14 security bulletins were given severity ratings of "critical." One of the flaws addressed is a critical information disclosure vulnerability in Internet Explorer (IE) that is being actively exploited in malvertising campaigns. The flaw was first reported to Microsoft in September 2015.
Read more in:
Computerworld: Microsoft releases one of its biggest security updates this year
-http://www.computerworld.com/article/3119978/security/microsoft-releases-one-of-
its-biggest-security-updates-this-year.html

Dark Reading: Microsoft Patches Zero Day Flaw Used in Two Massive Malvertising Campaigns
-http://www.darkreading.com/attacks-breaches/microsoft-patches-zero-day-flaw-used
-in-two-massive-malvertising-campaigns/d/d-id/1326908?

ZDNet: Microsoft patches critical IE bug that was under attack for nearly three years
-http://www.zdnet.com/article/microsoft-patches-critical-ie-bug-that-was-under-at
tack-for-nearly-three-years/

Microsoft: Security Bulletin Summary for September 2016
-https://technet.microsoft.com/en-us/library/security/ms16-sep.aspx

Olympic Athlete Doping Test Results Leaked (September 13 & 14, 2016)

Medical information about Olympic athletes has been leaked, according to the World Anti-Doping Agency. While the leaked information shows that some athletes tested positive for banned substances, all had received therapeutic medical use exemptions, and were not breaking any rules.
Read more in:
Ars Technica: US athletes' doping tests published by Russian hackers, agency says
-http://arstechnica.com/security/2016/09/anti-doping-agency-pins-leak-of-us-gold-
medalists-data-on-russian-hackers/

BBC: Russian hackers leak Simone Biles and Serena Williams files
-http://www.bbc.com/news/world-37352326
Computerworld: Hackers smear Olympic athletes with data dump of medical files
-http://www.computerworld.com/article/3119893/security/hackers-smear-olympic-athl
etes-with-data-dump-of-medical-files.html

Wired: Russian Hackers Get Bolder in Anti-Doping Agency Attack
-https://www.wired.com/2016/09/anti-doping-agency-attack-shows-russian-hackers-ge
tting-bolder/

Microsoft Patch Tuesday (September 14, 2016)

Microsoft's security updates for September address at least 50 vulnerabilities in a variety of products. Seven of the 14 security bulletins were given severity ratings of "critical." One of the flaws addressed is a critical information disclosure vulnerability in Internet Explorer (IE) that is being actively exploited in malvertising campaigns. The flaw was first reported to Microsoft in September 2015.
Read more in:
Computerworld: Microsoft releases one of its biggest security updates this year
-http://www.computerworld.com/article/3119978/security/microsoft-releases-one-of-
its-biggest-security-updates-this-year.html

Dark Reading: Microsoft Patches Zero Day Flaw Used in Two Massive Malvertising Campaigns
-http://www.darkreading.com/attacks-breaches/microsoft-patches-zero-day-flaw-used
-in-two-massive-malvertising-campaigns/d/d-id/1326908?

ZDNet: Microsoft patches critical IE bug that was under attack for nearly three years
-http://www.zdnet.com/article/microsoft-patches-critical-ie-bug-that-was-under-at
tack-for-nearly-three-years/

Microsoft: Security Bulletin Summary for September 2016
-https://technet.microsoft.com/en-us/library/security/ms16-sep.aspx

Olympic Athlete Doping Test Results Leaked (September 13 & 14, 2016)

Medical information about Olympic athletes has been leaked, according to the World Anti-Doping Agency. While the leaked information shows that some athletes tested positive for banned substances, all had received therapeutic medical use exemptions, and were not breaking any rules.
Read more in:
Ars Technica: US athletes' doping tests published by Russian hackers, agency says
-http://arstechnica.com/security/2016/09/anti-doping-agency-pins-leak-of-us-gold-
medalists-data-on-russian-hackers/

BBC: Russian hackers leak Simone Biles and Serena Williams files
-http://www.bbc.com/news/world-37352326
Computerworld: Hackers smear Olympic athletes with data dump of medical files
-http://www.computerworld.com/article/3119893/security/hackers-smear-olympic-athl
etes-with-data-dump-of-medical-files.html

Wired: Russian Hackers Get Bolder in Anti-Doping Agency Attack
-https://www.wired.com/2016/09/anti-doping-agency-attack-shows-russian-hackers-ge
tting-bolder/


INTERNET STORM CENTER TECH CORNER

Microsoft Patches
-https://isc.sans.edu/mspatchdays.html?viewday=2016-09-13

Adobe Air Patches
-https://helpx.adobe.com/security/products/air/apsb16-31.html

iOS 10 Update
-https://isc.sans.edu/forums/diary/Apple+iOS+10+and+1001+Released/21473/

Exploit Attempts for Drupal RESTWS Module Vulnerablity
-https://isc.sans.edu/forums/diary/Exploit+Attempts+for+Drupal+RESTWS+x+Module+Vu
lnerability/21481/

Google France XSS Vulnerability
-https://sysdream.com/news/lab/2016-09-12-cross-site-scripting-vulnerability-foun
d-on-www-google-fr/

Pokemon Go Continues to Lead to Malware
-https://securelist.com/blog/mobile/76081/rooting-pokemons-in-google-play-store/

VMWare Update Fixes Escape Vulnerablity
-https://www.vmware.com/security/advisories/VMSA-2016-0014.html?

Locky Ransomware Updates
-https://blog.avira.com/locky-ransomware-goes-autopilot/
-https://blogs.forcepoint.com/security-labs/locky-distributor-uses-newly-released
-quant-loader-sold-russian-underground

-https://isc.sans.edu/forums/diary/Is+2+out+of+3+good+enough+for+AntiMalware/2148
5/

Critical Update For Cisco WebEx Server
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
0160914-wem

Dualtoy Malware Attacks iOS and Android
-http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-si
deloads-risky-apps-to-android-and-ios-devices/

Certificate Pinning Issue in Firefox/Tor Browser
-https://hackernoon.com/tor-browser-exposed-anti-privacy-implantation-at-mass-sca
le-bd68e9eb1e95#.9jnte0u52



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create