SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #76
September 23, 2016
Very useful Gartner Research Note (G00308938) that went to more than 9,000 CIOs on Tuesday. It targets networking but focuses especially on security and says organizations can save as much as 25% of their network (and network security) costs by making the suggested shift.
Title: Time to Shift Network Spend From Premium Products to Premium People.
Two key points on network security:
1. An under-skilled staff is more likely to depend too heavily on a single vendor; that drives up non-labor costs.
2. An under-skilled staff will not be able to do critical tasks (like segmentation, implementing the Critical Security Controls, etc,) that reduce the need for more security staff.
Add the new Center for Strategic and International Studies' report due in mid October, showing that security people with premium skills value investments in their advanced training more than extra salary, and this might be a good time to ask your boss to fund your attendance at one of the hands-on immersion courses at CDI in Washington or in Dallas, Seattle, Baltimore, Tysons Corner, San Diego, Crystal City, Miami, Nashville, Houston, or San Francisco or one of 16 other cities around the world scheduled in the next 90 days. See: https://www.sans.org/security-training/by-location/north-america
Alan
TOP OF THE NEWS
Yahoo Confirms Massive Account Data BreachKrebsonSecurity Targeted in Massive DDoS Attack
Data Breach Insurance Act
THE REST OF THE WEEK'S NEWS
US House Passes Small Business Cyber Security ActDrupal Patches Critical Flaws
Air Force Moving Forward with Weapons Systems Hardening
US Cities Want Transparency in Law Enforcement Surveillance Tech Use
Apple Releases macOS Sierra
Microsoft Offering Azure Cloud Services Through Data Centers in Germany
Certificate Pinning Flaw Hard to Detect
Congressman Introduces Voting Security Legislation
SWIFT to Introduce New Fraud Detection Measure
Phishers Targeting Students
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*********************** Sponsored By CloudFlare **********************
In case you missed it: "Hardening Microservices Security: Building a Layered Defense Strategy." You can view the webcast presentation and download the slides by logging into your SANS Portal Account or creating an Account. Click the Register Now button after you have logged in to view the Webcast. http://www.sans.org/info/188647
***************************************************************************
TRAINING UPDATE
--Security Leadership Summit & Training | Dallas, TX | September 27 - October 4, 2016 |
https://www.sans.org/event/security-leadership-summit-2016
--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA |
https://www.sans.org/event/seattle-2016
--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic |
https://www.sans.org/event/dfir-prague-2016
--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD |
https://www.sans.org/event/baltimore-2016
--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan |
https://www.sans.org/event/tokyo-autumn-2016
--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA |
https://www.sans.org/event/tysons-corner-2016
--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |
https://www.sans.org/event/san-diego-2016
--Pen Test HackFest Summit & Training | November 2-9, 2016 | Crystal City, VA |
https://www.sans.org/event/pen-test-hackfest-2016
--Healthcare Cybersecurity Summit & Training | November 14-21, 2016 | Houston, TX |
https://www.sans.org/event/healthcare-cyber-security-summit-2016
--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC |
https://www.sans.org/event/cyber-defense-initiative-2016
--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA |
https://www.sans.org/event/security-east-2017
TOP OF THE NEWS
Yahoo Confirms Massive Account Data Breach (September 22, 2016)
Yahoo has confirmed that a breach in 2014 compromised account details for at least 500 million users. The attack is believed to have been conducted by a "state-sponsored actor." Compromised data include names, dates of birth, encrypted passwords and unencrypted security questions and answers. Yahoo discovered the breach while investigating a report that someone was selling millions of stolen Yahoo login credentials on the black market.[Editor Comments ]
[Ullrich ]
Beyond the size of the breach, the leak of unencrypted password reset questions and answers is troubling. Many sites use similar questions and it would be simple to reset a user's password on a different site. Password reset questions should be treated like passwords, even if your site does not use them to directly reset the password but instead uses them just to rate limit password reset requests.
[Pescatore ]
As usual, the latest "largest ever" breach points out the need to move beyond reusable passwords. Yahoo offers two step verification but none of the large consumer email providers have been educating users and giving them incentives to make the move. I'd like to see some portion of their ad revenue (same with Google, Microsoft, and AOL) be donated toward selling that message to the eyeballs they reach. Also, I really hope Verizon drastically drops the price they are paying for Yahoo. In a September 9 proxy filing, Yahoo stated they were not aware of any "security Breaches, unauthorized access or unauthorized use of any of Seller's or the Business Subsidiaries' information technology systems or (ii) loss, theft, unauthorized access or acquisition, modification, disclosure, corruption, or other misuse of any Personal Data in Seller's or the Business Subsidiaries' possession" A big drop in acquisition value because of this would be a good wake up call to other Boards of Directors.
[Murray ]
End users should respond to this news by implementing strong authentication options, not only on Yahoo! (Yes, Yahoo! does offer such an option but has not promoted it), but on all services that offer them.
Read more in:
Dark Reading: Yahoo Reveals Nation State-Borne Data Breach Affecting A Half-Billion Users
-http://www.darkreading.com/attacks-breaches/yahoo-reveals-nation-state-borne-dat
a-breach-affecting-a-half-billion-users/d/d-id/1326984?
Bloomberg: Yahoo Says at Least 500 Million Accounts Breached in Attack
-http://www.bloomberg.com/news/articles/2016-09-22/yahoo-says-at-least-500-millio
n-accounts-breached-in-hack-attack
CNET: Yahoo warns users at least 500 million accounts were hacked
-https://www.cnet.com/news/yahoo-500-million-accounts-hacked-data-breach/
KrebsonSecurity Targeted in Massive DDoS Attack (September 22, 2016)
Earlier this week, KrebsonSecurity.com was targeted in a massive distributed denial-of-service (DDoS) attack. The attack did not succeed in knocking the site offline, until Thursday, September 22, when KrebsonSecurity was removed from the servers of Akamai Technologies. Reports indicate that at their peak, the attacks were bombarding Krebs's site with 620 Gbps of traffic. The attack was likely launched in retaliation for Krebs' story about vDOS, which resulted in the arrest of two men.[Editor Comments ]
[Guest Editor Donald Smith ]
Krebs wasn't kicked off Akamai; he was kicked off Prolexic. Here is a quote him: "Holy moly. Prolexic reports my site was just hit with the largest DDOS the internet has ever seen. 665 Gbps. Site's still up. #FAIL 8:02 PM - 20 Sep 2016 798 Retweets 1,088 likes"
Had he been on Akamai's CDN platform, they might have complained but they charge by the MB so their complaint would have been in a BIG BILL :)
[Murray ]
Few understand the cost of "telling truth to power" better than Brian Krebs.
Read more in:
KrebsonSecurity: KrebsonSecurity Hit With Record DDoS
-http://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
BBC: Massive web attack hits security blogger
-http://www.bbc.com/news/technology-37439513
Data Breach Insurance Act (September 15 & 22, 2016)
US Congressman Ed Perlmutter (D-Colorado) has introduced the Data Breach Insurance Act. The bill would provide a 15 percent tax credit for organizations that purchase breach insurance and adopt the National Institute of Standards and Technology's (NIST's) Cybersecurity Framework or other cybersecurity standards approved by the Secretary of the Treasury.[Editor Comments ]
[Pescatore ]
If the goal is to use tax law to incentivize businesses to be more secure, I'd rather see the government do so directly rather than trying to go through requirements for insurance policies. The approach Congressman Perlmutter proposes would require businesses to get specific data breach insurance that requires an assessment against and demonstration of compliance with the NIST Cybersecurity Framework (others could be added) in order to get that 15% tax credit on the premiums. To insure against the average sized breach, cost per year for the insurance would be in the range of $40K - 150K per year but there are deductibles and various clauses that limit payout. A tax credit of $6k - 25K per year probably wouldn't offset even the non-covered costs and deductibles.
Read more in:
IA Magazine: Bill Would Provide Tax Credit for Data Breach Insurance
-http://www.iamagazine.com/news/read/2016/09/22/bill-would-provide-tax-credit-for
-data-breach-insurance
House.gov: Perlmutter Introduces Legislation to Help Mitigate the Impacts of Data Breaches
-http://perlmutter.house.gov/news/documentsingle.aspx?DocumentID=1471
Congress.gov: H.R. 6032 - Data Breach Insurance Act
-https://www.congress.gov/bill/114th-congress/house-bill/6032
*************************** SPONSORED LINKS ***************************
1) Live Webcast: Stop Ransomware Before it Strikes Your Organization - Register Today! http://www.sans.org/info/188632
2) Attend SANS HackFest! In-depth talks, pen test courses, NetWars, & more! Washington, DC - Nov 2 - 9. Register: http://www.sans.org/info/188637
3) SANS 2016 Security Analytics & Intelligence Survey is now OPEN! Take the survey and enter to win a $400 Amazon Gift Card: http://www.sans.org/info/188642 ******************************************************************************
THE REST OF THE WEEK'S NEWS
US House Passes Small Business Cyber Security Act (September 22, 2016)
The US House of Representatives approved a bill that aims to increase cybersecurity services available to small businesses. The Small Business Cyber Security Act would have the Small Business Administration work with the Department of Homeland Security (DHS) to develop a strategy to extend services to small businesses through existing small business development centers.[Editor Comments ]
[Murray ]
SBA has been giving security advice and counsel to small business since the early eighties. It is advisory, hygiene, honored more in the breach, not high on the list of the beleaguered small entrepreneur, whose biggest risks are business risks. She looks to the SBA more for financing and business guidance than anything else. In information assurance, she is more guided by what little she hears on the news. The problem is not lack of guidance.
Read more in:
The Hill: Improving Small Business Cyber Security Act clears House
-http://thehill.com/policy/cybersecurity/297192-improving-small-business-cyber-se
curity-act-clears-house
Drupal Patches Critical Flaws (September 22, 2016)
The Drupal Security Team has released fixes for three vulnerabilities, two of which are deemed to be critical. One of the critical flaws could be exploited through a cross-site scripting attack to execute arbitrary code; the second could allow unauthorized users to download config reports. Drupal users are urged to upgrade to version 8.1.10.[Editor Comments ]
[Williams ]
As with the July Drupal upgrades, this is a "drop everything and patch now" kind of vulnerability. The cross site scripting (XSS) attack is not a remote code execution (RCE) on the server like one of the Drupal vulnerabilities patched in July (
-https://www.drupal.org/SA-CORE-2016-003).
Rather, like all XSS attacks, it executes code in the user's browser. For server administrators, the ability for an attacker to download a full config export is probably much more damaging as it contains sensitive information that may be coupled with other vulnerabilities and misconfigurations to compromise the server on which Drupal is being hosted.
Read more in:
SC Magazine: Drupal patches two critical vulnerabilities?
-http://www.scmagazine.com/drupal-patches-two-critical-vulnerabilities/article/52
4275/
Air Force Moving Forward with Weapons Systems Hardening (September 21 & 22, 2016)
The US Air Force's Task Force Cyber Secure's Cyber Campaign Plan has seven "lines of attack." Speaking at the Air Force Association's Air, Space and Cyber Conference, General Ellen Pawlikowski, commander of Air Force Materiel Command, said that having focus areas has helped the Air Force move forward with its goal of improving the cybersecurity of its weapons systems instead of simply "admiring the problem." The plan aims to provide weapons systems with the same level of security and attention that the Air Force affords its IT systems. The plan's objectives include making sure that security is baked in to new weapons systems and securing existing systems.Read more in:
Federal News Radio: Air Force sees progress in hardening its weapons against cyber attack, despite no new funding
-http://federalnewsradio.com/air-force/2016/09/air-force-sees-progress-hardening-
weapons-cyber-attack-despite-no-new-funding/
FCW: Air Force scrambles to harden weapons systems
-https://fcw.com/articles/2016/09/21/usaf-pawlikowski-cyber.aspx
US Cities Want Transparency in Law Enforcement Surveillance Tech Use (September 21, 2016)
Eleven US cities will introduce legislation requiring greater transparency of law enforcement agencies' use of surveillance technologies. The bills would give the cities "meaningful opportunity to review and participate in all decisions about if and how surveillance technologies are acquired and used locally." The Community Control Over Police Surveillance initiative is led by the American Civil Liberties Union (ACLU).Read more in:
Computerworld: 11 cities plan to force cops to disclose secret surveillance technologies
-http://www.computerworld.com/article/3122866/security/11-cities-plan-to-force-co
ps-to-disclose-secret-surveillance-technologies-used.html
The Register: US cities promise to crack down on police surveillance tech
-http://www.theregister.co.uk/2016/09/21/us_cities_push_police_surveillance_overh
aul/
ACLU: Community Control Over Police Surveillance
-https://www.aclu.org/feature/community-control-over-police-surveillance
Apple Releases macOS Sierra (September 21, 2016)
Apple has released a new version of OS X, macOS Sierra 10.12. The new OS addresses 65 vulnerabilities. The newest release marks a shift from naming operating systems OS X to macOS. Sierra's release comes one week after the release of Apple's iOS 10. Apple has also released an updated version of Safari for earlier versions of its OS.Read more in:
Computerworld: Apple's new macOS Sierra fixes over 60 security flaws
-http://www.computerworld.com/article/3122802/security/apples-new-macos-sierra-fi
xes-over-60-security-flaws.html
eWeek: Apple macOS Sierra Fixes 68 Vulnerabilities
-http://www.eweek.com/security/apple-macos-sierra-fixes-68-vulnerabilities.html
Microsoft Offering Azure Cloud Services Through Data Centers in Germany (September 21, 2016)
Microsoft is now offering Azure cloud services from datacenters in Germany, which will make it more difficult for the US government to demand access to customer data. Information stored with Microsoft Cloud Germany is under the control of a data trustee, Deutsche Telekom subsidiary T-Systems International. Microsoft will not have access to the information stored at the data centers without the permission of the customer and the trustee, which will supervise the access.[Editor Comments ]
[Williams ]
This seems an extension of the bullet-proof hosting concept that cyber criminals have used for years in Eastern Europe. Businesses may be able to gain a competitive advantage by advertising that their datacenter services are beyond the (easy) reach of US law enforcement. Those that do incident response in Germany already know how hard it is to obtain data there due to privacy laws. Organizations wishing to "subpoena proof" their services should look to Germany for hosting.
Read more in:
ZDNet: Microsoft's new datacenters aim to put customer data beyond the reach of US snooping
-http://www.zdnet.com/article/microsofts-new-datacenters-aim-to-put-customer-data
-beyond-the-reach-of-us-snooping/
Certificate Pinning Flaw Hard to Detect (September 21, 2016)
The certificate pinning flaw recently patched in the Tor and Firefox browsers was difficult to detect because it is elusive - it exists only at certain times. The vulnerability relies on windows of opportunity created by static pins expiring before new expiration dates were pushed out, creating a situation in which the browsers did not enforce certificate pinning while installing some browser extensions.[Editor Comments ]
[Northcutt ]
Certificate pinning is an effort to protect browsers that download extensions such as NoScript, even if a legitimate certificate authority is compromised, by accepting certificates only from specific pre-trusted authorities. Firefox used a proprietary method instead of the HTTP Public-Key-Pinning (HPKP) protocol. It is not a big exposure since the attacker would have to be in position for a man in the middle attack. However since many users of Tor are human rights activists, certain nation state actors might have an interest in exploiting it.
-https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/
-https://tools.ietf.org/html/rfc7469
-https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning
Read more in:
Ars Technica: Bug that hit Firefox and Tor browsers was hard to spot - now we know why
-http://arstechnica.com/security/2016/09/bug-that-hit-firefox-and-tor-browsers-wa
s-hard-to-spot-now-we-know-why/
Congressman Introduces Voting Security Legislation (September 21, 2016)
US Representative Hank Johnson (D-Georgia) has introduced two bills intended to improve election systems security. The Election Integrity Act of 2016 would prohibit the purchase of voting systems that do not provide a voter-verified paper trail. The Election Infrastructure and Security Promotion Act of 2016 would designate voting systems as critical infrastructure and would prohibit connecting voting machines to the Internet "through any publicly accessible network."[Editor Comments ]
[Murray ]
The election infrastructure continues to be the most over-constrained problem in information technology. For example, "Integrity" would be easier if one did not have to report the results in hours. Adding additional requirements and restrictions to a "hard problem" rarely makes things better. That said, using paper ballots in the recording step and using technology only for tallying and reporting is proving to work well in many jurisdictions.
Read more in:
Computerworld: New legislation seeks to prevent US voting systems from being hacked
-http://www.computerworld.com/article/3123072/security/new-legislation-seeks-to-p
revent-us-voting-systems-from-being-hacked.html
House.gov: Rep. Johnson introduces bills to protect voting systems, integrity of elections
-https://hankjohnson.house.gov/media-center/press-releases/rep-johnson-introduces
-bills-protect-voting-systems-integrity-elections
House.gov: Election Infrastructure and Security Promotion Act of 2016
-http://hankjohnson.house.gov/sites/hankjohnson.house.gov/files/documents/Electio
n_Infrastructure%20_Security_Promotion_Act%20_2016.pdf
House.gov: Election Integrity Act of 2016
-http://hankjohnson.house.gov/sites/hankjohnson.house.gov/files/documents/Electio
n_Integrity_Act_2016.pdf
SWIFT to Introduce New Fraud Detection Measure (September 20 & 22, 2016)
SWIFT, the international banking funds transfer messaging network, has acknowledged that cyberattacks are "here to stay." Speaking at the Financial Times Cyber Security Summit in London, UK, SWIFT CISO Alain Desausoi said that the organization plans to introduce Daily Validation Reports, which it hopes will help detect fraud by examining message flows for anomalies. The reports, along with customer access to risk reports, will begin in December 2016.Read more in:
ZDNet: SWIFT says bank cyberattacks 'here to stay'
-http://www.zdnet.com/article/swift-says-bank-cyberattacks-here-to-stay/
The Register: SWIFT warns of more 'sophisticated' attacks, readies anti-fraud tool
-http://www.theregister.co.uk/2016/09/22/swift_warns_of_more_sophisticated_attack
s_readies_antifraud_tool/
Ars Technica: SWIFT hopes to thwart fraudsters with detection system in wake of bank heist
-http://arstechnica.com/security/2016/09/swift-fraudsters-detection-system-bangla
desh-bank-heist/
Phishers Targeting Students (September 20, 2016)
Students in the UK are being warned of a phishing scam that tries to get them to divulge their bank account information. The phishing messages, which appear to come from schools' finance departments and claim to offer educational grants.[Editor Comments ]
[Williams ]
Cormac Herley from Microsoft published some interesting research last year highlighting that scammers get the best ROI when they target gullible people specifically. Scammers may have figured out that students, who largely have not been educated about phishing threats, are a highly gullible population.
-https://www.microsoft.com/en-us/research/publication/why-do-nigerian-scammers-sa
y-they-are-from-nigeria/
Read more in:
BBC: Students warned of new 'phishing' scam?
-http://www.bbc.com/news/education-37408373
INTERNET STORM CENTER TECH CORNER
MacOS Sierra and Safari 10 Release-https://isc.sans.edu/forums/diary/Getting+Ready+for+macOS+Sierra+Upgrade+Securel
y/21465/
BackConnect BGP Hijacks
-http://research.dyn.com/2016/09/backconnects-suspicious-bgp-hijacks/
Metasploit Vulnerablity
-https://github.com/justinsteven/advisories/blob/master/2016_metasploit_rce_stati
c_key_deserialization.md
Those never-ending waves of Locky Malspam
-https://isc.sans.edu/forums/diary/Those+neverending+waves+of+Locky+malspam/21505
/
Windows Anti Malware Scan Interface (AMSI)
-http://www.labofapenetrationtester.com/2016/09/amsi.html
Cloudflare Intorducing SSL Re-Write
-https://blog.cloudflare.com/opportunistic-encryption-bringing-http-2-to-the-unen
crypted-web/
Australian Police Warns of Malicious USB Sticks
-https://www.vicpolicenews.com.au/news/harmful-usb-drives-found-in-letterboxes
OpenSSL Security Update
-https://isc.sans.edu/forums/diary/OpenSSL+Update+Released/21509/
***********************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create