Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #79

October 04, 2016


The coolest hands-on cyber training opportunity (early bird deadline October 7): SANS HackFest in Washington DC in early November is packed with extra opportunities for hands-on learning and networking: 2 full days of in-depth talks from real-world hands-on experts, focused on how offense can inform defense and forensics, plus 7 great SANS immersion courses on up-to-date advanced topics. Add to that 3 nights (not the usual 2) of the NetWars Experience for students to practice the lessons they learn in class and earn up to FIVE SANS challenge coins as trophies for courses they've taken in the past. We'll even do a night of CyberCity missions for you to defend the physical model city and its critical infrastructure against nefarious attackers. We'll have a super secret field trip with a fun team-based scavenger hunt and capture the flag event for networking and further learning. And Ed Skoudis' wife will bake her world-famous cookies to share with everyone at the event. Registration and more info at http://www.sans.org/hackfest.

TOP OF THE NEWS

DHS Says Attackers Probing US States' Voting Systems
UK's National Cyber Security Center HQ Open for Business
Apple to Block Trust for WoSign Certificates
Internet of Things DDoS Code Shared Online

THE REST OF THE WEEK'S NEWS

Your DVR Is Falling To Attackers Who Try 50 Times Per Hour
Google Patches Use-After-Free Vulnerability in Chrome
OpenJPEG Flaw Patched
Dell EMC Management Console Vulnerabilities Fixes
Army is Ahead of Other Services in Establishing Cyber Mission Forces
DressCode Trojan Found in Apps in Google Play Store

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*********************** Sponsored By Sophos, Inc. ************************

With ransomware making headlines for all of the wrong reasons, the pressure is on to put together a top of the line defense. Starting from scratch can be tough, so head to the Sophos Anti-Ransomware Hub and get resources that help you better understand the threat and choose the best possible security solution. Learn More: http://www.sans.org/info/188807

***************************************************************************

TRAINING UPDATE

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |
https://www.sans.org/event/san-diego-2016

--SANS Munich Autumn 2016 | October 24-29, 2016 | Munich, Germany |
https://www.sans.org/event/munich-autumn-2016

--SANS Sydney 2016 | November 3-19, 2016 | Sydney, Australia |
https://www.sans.org/event/sydney-2016

--SANS London 2016 | November 12-21, 2016 | London, UK |
https://www.sans.org/event/london-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC |
https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV |
https://www.sans.org/event/las-vegas-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan |
https://www.sans.org/event/secure-japan-2017

***************************************************************************

TOP OF THE NEWS

DHS Says Attackers Probing US States' Voting Systems (October 1 & 3, 2016)

According to a US Department of Homeland Security (DHS) official, voter registration systems in at least 20 states have been breached or probed by attackers. DHS says there is no evidence that data have been altered. However, the fact of the intrusions themselves could cause people to doubt the integrity of US voting systems.

Read more in:

Fortune: DHS Confirms Hackers Targeted Election Systems in 20 States
-http://fortune.com/2016/10/01/hackers-targeted-election-systems/

Dark Reading: Hackers Attacked Voter Registration Systems Of 20 US States, Says Official
-http://www.darkreading.com/cloud/hackers-attacked-voter-registration-systems-of-
20-us-states-says-official/d/d-id/1327079

UK's National Cyber Security Center HQ Open for Business (October 3, 2016)

The UK's National Cyber Security Centre is now open. The Centre will coordinate the UK's response to cyber threats and provide help to public and private sector organizations. The Centre's Prospectus lists four key objectives: to understand the cyber security environment and share knowledge; to help public and private sector organizations improve cyber security; to respond to cybersecurity incidents; and to foster its cyber security capability and provide leadership.


[Editor Comments ]



[Shpantzer ]
I'd like to see a national effort where one of the multiple 'centers' goes out and helps organisations implement the Top 4 of the ASD 35. Vendors could volunteer some of their software to show efficacy and reap PR rewards from 'saves' in the experiment. Who's with me?


[Paller ]
"Like" Shpantzer's idea. A national competition for who could implement the most cost-effectively would accelerate it.

Read more in:

SC Magazine UK: National Cyber Security Centre HQ Operational
-http://www.scmagazineuk.com/ncsc-will-be-based-in-the-nova-office-and-shopping-c
omplex-near-victoria-station-in-london/article/526405/


V3: UK National Cyber Security Centre comes online to protect nation from threats
-http://www.v3.co.uk/v3-uk/news/2472782/uk-national-cyber-security-centre-comes-o
nline-to-protect-nation-from-threats

Apple to Block Trust for WoSign Certificates (October 3, 2016)

Starting with its next round of updates for iOS and macOS, Apple will block trust for digital certificates issued by the WoSign CA (Certificate Authority) Free SSL Certificate G2 Intermediate CA. Last week, Mozilla announced that it would likely begin blocking WoSign certificates after learning that the CA had backdated certificates to evade SHA-1 encryption rules and that is was not forthcoming about its acquisition of StartCom.


[Editor Comments ]



[Ullrich ]
Only newly issued certificates will be blocked. If you had your certificate issued before September 19th, and if your certificate was published in a certificate transparency log, then you should be ok for now. But it is still time to move away from WoSign/StartSSL. For a free alternative, try out "letsencrypt". But if you do, realize that letsencrypt certificates are good for only 3 months and you need to automate renewals (scripts to do so are available).


[Northcutt ]
The Register article does not tell the whole story. "Trust anchors" is an important concept for white listing, (trusting) software signed by a trusted certificate authority. If a CA acts irresponsibly, the downstream impacts can be very large. Mozilla is only talking about suspending trust for a year to give WoSign time to clean up their procedures. This is not a deep technical problem, it is a procedural problem. The Schrauger article below provides more useful detail.


-https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for
-github-com



-https://support.apple.com/en-us/HT204132


-http://www.zdnet.com/article/mozilla-to-chinas-wosign-well-kill-firefox-trust-in
-you-after-mis-issued-github-certs/



Read more in:

The Register: Apple chops woeful WoSign HTTPS certs from iOS, macOS
-http://www.theregister.co.uk/2016/10/03/apple_wosign_certificates/

IoT DDoS Code Shared Online (October 2 & 3, 2016)

Source code that has been used to drive Internet of Things (IoT) botnets has been released online. Known as Mirai, the code was used in the distributed denial-of-service (DDoS) attack that targeted KrebsOnSecurity last month. Internet monitoring organizations have already noted an increase in scanning for vulnerable IoT devices.


[Editor Comments ]



[Williams ]
While the release of this code is interesting, I have already seen backdoored copies of the code repository popping up on line. Be careful before downloading and compiling this (or any other) source code for "testing" in your environment.


[Murray ]
It should not be lost in all of this that the appliances taken over in this attack are cameras. Whether one worries most about exploitation of the appliance function or the general purpose function, this should be a caution. The day may be coming when the only way to protect the community from these devices being exploited by rogues is to preemptively take them down.

Read more in:

BBC: Fears of massive net attacks as code shared online
-http://www.bbc.com/news/technology-37540732

Ars Technica: Brace yourselves - source code powering potent IoT DDoSes just went public
-http://arstechnica.com/security/2016/10/brace-yourselves-source-code-powering-po
tent-iot-ddoses-just-went-public/


The Register: Source code unleashed for junk-blasting Internet of Things botnet
-http://www.theregister.co.uk/2016/10/03/iot_botnet/

KrebsonSecurity: Source Code for IoT Botnet 'Mirai' Released
-https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/


*************************** SPONSORED LINKS *****************************

1) Attend the SANS Financial Services Cyber Security Briefing and Networking Lunch in NYC October 14th. http://www.sans.org/info/188812

2) Attend SANS HackFest! In-depth talks, pen test courses, NetWars, & more! DC: Nov 2 -- 9. Register: http://www.sans.org/info/188817

3) Join Bugcrowd, SANS, and a customer panel to discuss the momentum behind crowdsourced security. http://www.sans.org/info/188822

******************************************************************************

THE REST OF THE WEEK'S NEWS

Google Patches Use-After-Free Vulnerability in Chrome (September 29 & October 3, 2016)

Google's fixes for its Chrome browser include one for a use-after-free vulnerability. Last week, the Chrome stable channel was updated to version 53.0.2785.143; it is scheduled to roll out over the next few weeks. The update addresses a total of three security issues.

Read more in:

SC Magazine: Google Chrome update corrects use-after-free vulnerability
-http://www.scmagazine.com/google-chrome-update-corrects-use-after-free-vulnerabi
lity/article/526453/


Google Blog: Stable Channel Update for Desktop
-https://googlechromereleases.blogspot.com/2016/09/stable-channel-update-for-desk
top_29.html

OpenJPEG Flaw Patched (September 29 & October 3, 2016)

Researchers at Cisco's Talos Group have found an out-of-bounds vulnerability in the OpenJPEG JPEG 2000 codec that could be exploited to allow remote code execution. The vulnerability lies in the JPEG 200 image file format parser. Attackers could exploit the flaw by getting users to open maliciously crafted JPEG images. Talos researchers notified the vendor of the vulnerability in July; it has been fixed in a recent update.


[Editor Comments ]



[Williams ]
The most likely attack vector for most users is through the handling of PDF's since a number of PDF readers use OpenJPEG for handling JPEG data. Patches will likely be released quickly by vendors, but since this is a relatively easy to exploit vulnerability (as heap exploits go) users should apply patches as soon as they are available.

Read more in:

ZDNet: OpenJPEG zero-day flaw leads to remote code execution
-http://www.zdnet.com/article/openjpeg-zero-day-flaw-leads-to-remote-code-executi
on/


Talos: OpenJPEG JPEG2000 MCC record Code Execution Vulnerability
-http://www.talosintelligence.com/reports/TALOS-2016-0193/

Dell EMC Management Console Vulnerabilities Fixes (October 3, 2016)

Dell EMC has patched several vulnerabilities in its management interfaces for VMAX storage systems. Three of the flaws could be exploited to expose data or completely compromise vulnerable systems.

Read more in:

Computerworld: Dell EMC patches critical flaws in VMAX enterprise storage systems
-http://www.computerworld.com/article/3127144/security/dell-emc-patches-critical-
flaws-in-vmax-enterprise-storage-systems.html


Ars Technica: Security company finds five "zero-day" flaws in EMC management console
-http://arstechnica.com/security/2016/10/security-company-finds-five-zero-day-fla
ws-in-emc-management-console/

Army is Ahead of Other Services in Establishing Cyber Mission Forces (October 3, 2016)

General Robert Abrams, commanding general of the US Army Forces Command, said the Army is "the only service that's created its own cyber branch and its own military occupational specialty for enlisted
[personnel ]
." The Army has conducted five cyber training exercises over the past year. General Abrams also said that "there's a tremendous amount of tactical application" that cannot yet be implemented because there is not the authority to use them.


[Editor Comments ]



[Assante ]
For the Cyber Protection Teams (CPTs) there is no lack of opportunities to find intrusions. For the remainder of the force, it is essential that training simulations, exercises, and tests provide facsimiles of 'real world' experiences to develop the necessary methods and memory that will sharpen these forces.

Read more in:

FCW: General: Cyber capabilities exceed authority
-https://fcw.com/articles/2016/10/03/abrams-ausa-cyber.aspx

DressCode Trojan Found in Apps in Google Play Store (September 30 & October 3, 2016)

A Trojan horse program known as DressCode has been found on more than 400 apps in the Google Play Store. The malware has been detected in 3,000 Android apps overall. DressCode is capable of making its way onto networks that infected devices connect to and stealing data.


[Editor Comments ]



[Murray ]
Of course, the real issue is not so much how many dirty apps there are as how many devices have copies of them. Nice people do not give Android devices to children, the elderly, or the otherwise naive.

Read more in:

Ars Technica: More than 400 malicious apps infiltrate Google Play
-http://arstechnica.com/security/2016/09/more-than-400-malicious-apps-infiltrate-
google-play/


Computerworld: Android malware that can infiltrate corporate networks is spreading
-http://www.computerworld.com/article/3126390/security/android-malware-that-can-i
nfiltrate-corporate-networks-is-spreading.html


SC Magazine: DressCode spotted in 3K Android apps, 400 in Google Play
-http://www.scmagazine.com/no-shoes-shirts-or-ties-needed-in-order-to-be-served-b
y-this-trojan-malware/article/526451/


ZDNet: Over 400 instances of Dresscode malware found on Google Play store, say researchers
-http://www.zdnet.com/article/over-400-instances-of-dresscode-malware-found-on-go
ogle-play-store-say-researchers/


INTERNET STORM CENTER TECH CORNER

Another Day, Another Malicious Behaviour
-https://isc.sans.edu/forums/diary/Another+Day+Another+Malicious+Behaviour/21539/

Capcom's Streetfighter V Anti Cheat Tool Allows Privilege Escalation
-https://twitter.com/TheWack0lian/status/779397840762245124/photo/1?ref_src=twsrc
%5Etfw

Apple Joins Mozilla In Distrusting WoSign
-https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/lWJ1zdUJPLI

"Footprints" Browser Extension Demonstrate Unmasking User's Idendity
-https://footprints.stanford.edu

Password Buddies
-https://isc.sans.edu/forums/diary/Password+Buddies+A+Better+Way+To+Reset+Passwor
ds/21547/

iMessage Data Leakage
-http://rsmck.co.uk/blog/imessage-preview/

Exploiting HP Thin Client
-http://blog.malerisch.net/2016/10/pwning-thin-client-in-less-two-minutes2-cve201
6-2246.html



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create