SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #78

September 30, 2016

TOP OF THE NEWS

US Rep. Lieu Asks New Federal CISO About Agencies' Failure to Implement GAO Cybersecurity Recommendations
Eighteen US States Seek DHS Help With Voting Systems Security
DDoS Attack on French Web Host Came From Compromised IoT Devices
Lock Down Your Login Campaign Promotes Strong Authentication

THE REST OF THE WEEK'S NEWS

FedRAMP Approval Accelerated
NIST Publishes Draft Cybersecurity Self-Assessment Tool
Guilty Plea in Syrian Electronic Army Case
Microsoft's Project Springfield: Cloud-Based Fuzzing
Google's Content Security Policy Evaluator Tool
Tesla Firmware Updates Now Require Code Signing
Firefox to Block WoSign Certificates
Edge's New Security Feature Will Virtualize Untrusted Web Pages

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored By Splunk ************************

As more workloads and applications migrate to the cloud, your next breach or insider attack will most likely have you digging for evidence in the cloud. That's where Splunk can help. Watch this webinar to see a model for cloud breach investigations and incident review scenarios for cloud-enabled and cloud-dependent enterprises using Splunk.
http://www.sans.org/info/188787

***************************************************************************

TRAINING UPDATE

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD |
https://www.sans.org/event/baltimore-2016

--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan |
https://www.sans.org/event/tokyo-autumn-2016

--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA |
https://www.sans.org/event/tysons-corner-2016

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |
https://www.sans.org/event/san-diego-2016

--Pen Test HackFest Summit & Training | November 2-9, 2016 | Crystal City, VA |
https://www.sans.org/event/pen-test-hackfest-2016

--Healthcare Cybersecurity Summit & Training | November 14-21, 2016 | Houston, TX |
https://www.sans.org/event/healthcare-cyber-security-summit-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC |
https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA |
https://www.sans.org/event/security-east-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV |
https://www.sans.org/event/las-vegas-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan |
https://www.sans.org/event/secure-japan-2017

---

TOP OF THE NEWS

US Rep. Lieu Asks New Federal CISO About Agencies Failure to Implement GAO Cybersecurity Recommendations (September 28, 2016)

US Representative Ted Lieu (D-California) has written a letter to federal Chief Information Security Officer (CISO) General Greg Touhill regarding government agencies' failure to adopt thousands of cybersecurity measures recommended by the General Accounting Office (GAO). In his letter, Lieu asks why agencies have not implemented the GAO's recommendations; how can Congress help; and whether there are any GAO recommendations that Touhill believes should not be implemented.

[Editor Comments ]



[Paller ]
We'll know in 90 days whether Greg Touhill was a good choice for U.S. CISO. In the final months of this administration, the new CISO could make measurable progress in reducing vulnerabilities in federal systems. Just getting rid of flaws in federal web sites that infect the computers of citizens would be a great one-month project. Tony Scott (Greg Touhill's boss at OMB) showed it could be done. Or he could have a larger impact by just measuring each federal IT contract to see whether it included the 3 key clauses that ensure systems are defensible and illuminating those that don't. Just making that data available to the President's Management Council would be a game changer and prove the federal government can lead by example. Again - a 1-2 month project. Touhill comes from DHS, the agency that has a near perfect record of "admiring the cybersecurity problem" rather than fixing it. Can he make the change quickly or will he bring along the baggage?


[Pescatore ]
A nice warning shot by Rep. Lieu across the bow of the incoming Federal CISO Touhill. Any "I'm from Congress and how can we help?" letter is a good reason to show rapid progress to avoid such help. It would be good to see the new federal CISO and deputy CISO have an internal focus on making FY17 the first year in many where the government actually makes real improvement in basic security hygiene as a foundation for secure government services overall.

Read more in:

SC Magazine: Rep. Lieu questions federal CISO on cybersecurity plans
-http://www.scmagazine.com/rep-lieu-questions-federal-ciso-on-cybersecurity-plans
/article/525462/

House.gov: Rep. Lieu's letter to Gen. Touhill (PDF)
-https://lieu.house.gov/sites/lieu.house.gov/files/documents/2016-09-27%20Rep.%20
Lieu%20letter%20to%20FCISO%20Touhill%20on%20GAO%20Report%20Cyber%20Recs.pdf

Eighteen US States Seek DHS Help With Voting Systems Security (September 27 & 29, 2016)

Eighteen US states have asked the Department of Homeland Security (DHS) for help securing their voting systems. DHS is offerings scans of Internet facing systems and access to cyber incident reporting centers. In a related story, the FBI has reported that more voter registration systems around the country have been experiencing intrusion attempts.

[Editor Comments ]



[Murray ]
This week's Congressional hearing where the head of this program and others testified are not yet up on C-SPAN.org but worth watching for.

Read more in:

FCW: 18 states tap DHS for voting security help
-https://fcw.com/articles/2016/09/27/18-states-voting-cyber.aspx

Computerworld: FBI reports more attempts to hack voter registration system
-http://www.computerworld.com/article/3125608/security/fbi-reports-more-attempts-
to-hack-voter-registration-system.html

DDoS Attack on French Web Host Came From Compromised IoT Devices (September 28 & 29, 2016)

A web hosting company in France has reportedly been the target of a massive distributed denial-of-service (DDoS) attack that harnessed the power of compromised Internet of Things (IoT) devices. At its peak, the attack on OVH was delivering traffic at 1.1 Tbps.

[Editor Comments ]



[Ullrich ]
At the Internet Storm Center (ISC), we are currently following a huge surge in brute force telnet attempts against these IOT devices. The attacks started about 2 weeks ago using passwords that are typical for security camera DVRs. Sadly, these passwords are for the most part unmaintained by home users and small businesses, so there is little chance of getting cleaned up. Hope to have more details about the exact exploits used next week once I have analyzed our honeypots in more detail, but here are graphs showing the rise in these particular passwords, for example the password "xc3511", or "7ujMko0admin" (see
-https://isc.sans.edu/ssh.html?pw=xc3511
). Our honeypot, an actual DVR, usually lasts less then an hour before getting infected with a variant of this attack, and it is being attacked (on a normal Comcast IP address) at a rate that requires me to reboot it several times an hour because it's telnet daemon keeps crashing. Some of these passwords are "hard coded" and cannot be changed by the user. If you have one of these devices, then it is probably already too late.


[Murray ]
The bigger problem with the IoT is not that rogue hackers will pervert the function but that they will exploit the gratuitous general-purpose function and capacity for brute force attacks.


[Honan ]
When we talk about IoT security, the focus is very much on the security of the device itself or the privacy of its owners. This story, and the DDoS attack against Brian Krebs' website, are prime example of how bad security of one device, or company, can negatively impact the overall security of the Internet community.

Read more in:

BBC: Army of webcams used in net attacks
-http://www.bbc.com/news/technology-37504719

Ars Technica: Record-breaking DDoS reportedly delivered by >145k hacked cameras
-http://arstechnica.com/security/2016/09/botnet-of-145k-cameras-reportedly-delive
r-internets-biggest-ddos-ever/

Lock Down Your Login Campaign Promotes Strong Authentication (September 2016)

The White House, along with the National Cyber Security Alliance, technology companies and other organizations, have teamed up to teach computer users how to establish strong authentication for social media, email, and financial accounts. The Lock Down Your Login campaign's website describes the different types of multi-factor authentication and how to use them.

[Editor Comments ]



[Murray ]
No other single mechanism offers so much reduction in risk for so little. At least nine users in ten carry a mobile. Google delivers the OTP in spoken language over POTS to the other one. When you are breached, the absence of this measure will be a contributing factor. Google will license you their code. We are all but begging you on bended knee. Please. If, in the face of all evidence to the contrary, you still believe your users will not like it, at least offer them the option.

Read more in:

CNET: White House: Your logins must be better than this
-https://www.cnet.com/news/white-house-obama-lock-down-your-login-password-authen
tication/

Lockdownyourlogin.com:
-https://www.lockdownyourlogin.com/

---

*************************** SPONSORED LINKS *****************************

1) 2016 Office 365 Security & Risk Benchmarks Report. Wednesday, October 5th, 2016 at 1:00 PM Eastern with John Pescatore and Brandon Cook. http://www.sans.org/info/188792

2) Webcast: They Can Run, But They Can't Hide: Real-Time Threat Hunting Using Passive DNS. Register: http://www.sans.org/info/188797

3) Evasive malware is everywhere. Learn how environment simulation technology prevents it: http://www.sans.org/info/188802 ******************************************************************************

---

THE REST OF THE WEEK'S NEWS

FedRAMP Approval Accelerated (September 29, 2016)

Microsoft received a provisional Authority to Operate for its Customer Relationship Manager Online just 15 weeks after initiating the process. FedRAMP Accelerated was developed because companies were finding that approval through regular FedRAMP processes was taking an average of nine to 18 months. FedRAMP Accelerated was launched last spring.

[Editor Comments ]



[Pescatore ]
Two points: (1) FedRAMP now has 72 authorized services (including all the major ones) with another 49 in-process. Whether you are in government or private industry, look first at FedRAMP authorized services, for both business and IT, and you will be ahead in the security game; (2) Two cloud-delivered security offerings are also approved (Qualys and Skyhigh) and 9 others are in process (Centrify, Cloudlock, Cylance, Fireeye, MobileIron, Okta, Proofpoint, Trapwire (not Tripwire!), and Veracode. FedRAMP certification should be a strongly-weighted evaluation criterion when considering cloud-delivered security services.

Read more in:

FCW: Microsoft is first through FedRAMP Accelerated?
-https://fcw.com/articles/2016/09/29/microsoft-graduates-fast-fedramp.aspx

NIST Publishes Draft Cybersecurity Self-Assessment Tool (September 29, 2016)

The US National Institute of Standards and Technology (NIST) has published a draft cybersecurity self-assessment tool. The Baldrige Cybersecurity Excellence Builder provides an assessment of an agency's security maturity level. The document is open for public comment through December 15, 2016. NIST has also released a SP 800-177, Trustworthy Email, to address issues not covered by its basic email guidance document, SP 800-45, which was published nearly 10 years ago.

Read more in:

GCN: NIST offers cyber self-assessment tool; updates email security guidance
-https://gcn.com/blogs/cybereye/2016/09/nist-cyber-self-assessment.aspx?admgarea=
TC_SecCybersSec

NIST: Baldrige Cybersecurity Excellence Builder (PDF)
-https://www.nist.gov/sites/default/files/documents/2016/09/15/baldrige-cybersecu
rity-excellence-builder-draft-09.2016.pdf

NIST: SP 800-177: Trustworthy Email (PDF)
-http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-177.pdf

Guilty Plea in Syrian Electronic Army Case (September 28 & 29, 2016)

Peter Roma has pleaded guilty in US federal court to conspiring to receive extortion proceeds and conspiring to unlawfully access computers. Romar has been affiliated with the Syrian Electronic Army (SEA). He faces up to five years in prison. An alleged co-conspirator is still at large.

[Editor Comments ]



[Honan ]
While this is a good move by Tesla, it is disappointing to think that code signing was overlooked in the first place. This is why it is important to ensure a thorough threat tree analysis is carried out for any major systems development and that security is baked in from the beginning.

Read more in:

The Hill: Syrian Electronic Army hacker pleads guilty in Virginia
-http://thehill.com/policy/cybersecurity/298378-syrian-electronic-army-member-ple
ads-guilty-in-virginia

SC Magazine: Cybercrime Blotter: Syrian Electronic Army hacker pleads guilty to hacking news sites and extortion
-http://www.scmagazine.com/cybercrime-blotter-syrian-electronic-army-hacker-plead
s-guilty-to-hacking-news-sites-and-extortion/article/525981/

DoJ: Syrian Electronic Army Hacker Pleads Guilty
-https://www.justice.gov/opa/pr/syrian-electronic-army-hacker-pleads-guilty

Microsoft's Project Springfield: Cloud-Based Fuzzing (September 27 & 28, 2016)

Microsoft's new Project Springfield is a cloud-based whitebox fuzzing service for developers. The service will help developers find bugs that attackers frequently exploit. Microsoft has not specified when the service will become available.

[Editor Comments ]



[Pescatore ]
Attackers are already using cloud services to run fuzzing tools, a very good thing for more developers to do so *before* shipping their code. Even better - procurements should *require* demonstration of application security testing for all software, whether custom developed or off the shelf.

Read more in:

Dark Reading: Microsoft Launches Cloud-Based Fuzzing
-http://www.darkreading.com/cloud/microsoft-launches-cloud-based-fuzzing-/d/d-id/
1327052?

Ars Technica: Microsoft launches "fuzzing-as-a-service" to help developers find security bugs
-http://arstechnica.com/information-technology/2016/09/microsoft-launches-fuzzing
-as-a-service-to-help-developers-find-security-bugs/

Google's Content Security Policy Evaluator Tool (September 27 & 28, 2016)

Google has released a new tool to help developers ensure that cross-site scripting error mitigation policies are effective. The CSP (Content Security Policy) Evaluator tool is used by Google engineers to get an idea about the effect of a policy. Google has also released the CSP Mitigator extension for Chrome, which developers can use to determine whether an application is compatible with CSP.

[Editor Comments ]



[Pescatore ]
The first step of basic medical hygiene is "wash your hands." If we are ever going to make substantial progress in reducing the damage from real world attacks, washing our hands of re-usable passwords has to be the first step for basic cyber security hygiene. Google, Mastercard, Mozilla, PayPal Twitter and Visa are on the sponsor list - where are Microsoft/Apple/Facebook/ATT/Verizon etc.?? Part of National Cybersecurity Awareness Month efforts should focus on convincing your employees to shift to stronger authentication with their personal use - then BYOD will bring it to work!

Read more in:

ZDNet: Google tackles XSS scripting flaws with new developer tools
-http://www.zdnet.com/article/google-tackles-xss-scripting-flaws-with-new-develop
er-tools/

eWeek: Google Addressing Threats From Cross-Site Scripting Errors
-http://www.eweek.com/security/google-addressing-threats-from-cross-site-scriptin
g-errors.html

Tesla Firmware Updates Now Require Code Signing (September 27, 2016)

After a video released last week indicated vulnerabilities in Tesla products that allowed attackers access to its driving systems, the company has updated its vehicle firmware in such a way that future attacks will be much more difficult. Now all firmware written to components on the car's CAN Bus must be digitally signed with a cryptographic key of which Tesla has sole possession. The new firmware security feature was pushed out wirelessly to all Tesla S cars and Tesla X SUVs.

Read more in:

Wired: Tesla Responds to Chinese Hack with a Major Security Upgrade
-https://www.wired.com/2016/09/tesla-responds-chinese-hack-major-security-upgrade
/

Firefox to Block WoSign Certificates(September 27, 2016)

Mozilla plans to have its products distrust certificates issued by WoSign for at least one year, because the certificate authority was found to have taken shortcuts to circumvent rules regarding cryptographic signatures that threatened the transport layer security (TLS) system. WoSign backdated certificates issued within the past nine months to evade a ban on the SHA-1 hashing algorithm. It also concealed its acquisition of the StartCom certificate authority. Certificates from both companies will likely be blocked.

[Editor Comments ]



[Williams ]
This move by Mozilla demonstrates how fragile the certificate authority system is. One bad apple spoils the bunch, but market pressures continue to encourage a race to the bottom. Most organizations I work with have never taken inventory of the certificates used to secure their communications. Use Bro NSM (a free solution) to track SSL certificates used to secure your enterprise communications. While Mozilla may no longer be trusting WoSign certificates, many products will not act as proactively, leaving organizations open to risk.


[Ullrich ]
The big story here isn't really so much "WoSign", but "StartSSL". StartSSL is a company based in Israel that was purchased by WoSign. While WoSign tried to hide the purchase, StartSSL issued backdated certificates after the purchase and is now also threatened by the action against WoSign. StartSSL was popular because it issued free certificates, and these certificates may no longer be recognized as valid once browsers like Firefox stop trusting the StartSSL certificate authority. It is important that you proactively scan your environment to check whether you are using any WoSign or StartSSL certificates and replace them before these certificates become invalid. "Letsencrypt" is a free alternative that provides some nice tools to automate renewal (note that Letsencrypt certificates need to be renewed every 3 months, so automation is important).

Read more in:

Ars Technica: Firefox ready to block certificate authority that threatened Web security
-http://arstechnica.com/security/2016/09/firefox-ready-to-block-certificate-autho
rity-that-threatened-web-security/

ZDNet: Mozilla to China's WoSign: We'll kill Firefox trust in you after mis-issued GitHub certs
-http://www.zdnet.com/article/mozilla-to-chinas-wosign-well-kill-firefox-trust-in
-you-after-mis-issued-github-certs/

Edge's New Security Feature Will Virtualize Untrusted Web Pages (September 27 & 28, 2016)

A new security feature in Microsoft's Edge browser was met with mixed reviews. Windows Defender Application Guard will run in a virtualized Windows environment when visiting sites that are not on a whitelist created by IT staff. While some have greeted the new feature with enthusiasm, others note that there is a problem with the concept as a whole. Microsoft will begin rolling out the feature to users next year. It will be available to organizations that subscribe to Windows Enterprise E3 or E5.

[Editor Comments ]



[Williams ]
While it is likely that this will eventually increase organizations' security posture and protect against browser based exploits, this feature increases the attack surface of the browser. Any feature this complex is likely to have bugs; wait for the bugs to be worked out before adopting this feature.

Read more in:

Computerworld: Analysts laud and lance new Microsoft browser armor
-http://www.computerworld.com/article/3125008/microsoft-windows/analysts-laud-and
-lance-new-microsoft-browser-armor.html

The Register: Microsoft preps defence against the dark arts for enterprise customers
-http://www.theregister.co.uk/2016/09/28/microsoft_preps_defence_against_webserve
d_malware_for_enterprise_customers/

---

INTERNET STORM CENTER TECH CORNER

Back in Time Memory Forensics
-https://isc.sans.edu/forums/diary/Back+in+Time+Memory+Forensics/21527/

Cameras Responsible For Large DDoS Attacks
-https://twitter.com/olesovhcom/status/779297257199964160

Google Releases CSP Support Tools
-https://csp-evaluator.withgoogle.com
and
-https://chrome.google.com/webstore/detail/csp-mitigator

Microsoft Launches "fuzzing-as-a-service"
-https://www.microsoft.com/en-us/springfield/

Rig Exploit Kit Used to Spread Locky Ransomware
-https://isc.sans.edu/forums/diary/Rig+Exploit+Kit+from+the+Afraidgate+Campaign/2
1531/

Facebook Releases osquery for Windows
-https://blog.trailofbits.com/2016/09/27/windows-network-security-now-easier-with
-osquery/

Update Cowrie and "New" Default Password used in Internet Wide Scans
-https://isc.sans.edu/ssh.html?pw=xc3511

BIND Name Server Update
-https://kb.isc.org/article/AA-01393/74/CVE-2016-2775%3A-A-query-name-which-is-to
o-long-can-cause-a-segmentation-fault-in-lwresd.html

Various Cisco DoS Vulnerabilities
-https://tools.cisco.com/security/center/publicationListing.x?product=NonCisco#~V
ulnerabilities

Turning the lights off with SNMP
-https://isc.sans.edu/forums/diary/SNMP+Pwn3ge/21533/

Yahoo! Anwers Used in Command and Control Networks
-http://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware
-families-get-further-by-abusing-legitimate-websites/

Dlink Router Includes Stupid Simple UDP Backdoor
-https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabi
lities.html

Hikvision XXE Vulnerability
-https://medium.com/@iraklis/an-unlikely-xxe-in-hikvisions-remote-access-camera-c
loud-d57faf99620f#.qukzihoew

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create