Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #80

October 07, 2016


The Internet of Evil Things is in the news: Most devices deployed as part of the Internet of Things (IoT) lack basic security hygiene and the wave of Mirai DDoS attacks exploits that weakness, compromising thousands of security cameras and DVRs and other IoT devices to launch powerful DDoS attacks. Denial of service may be the tip of the iceberg if we don't make rapid progress securing the IoT. Your first step, join Dr. Johannes Ullrich of SANS' Internet Storm Center on Thursday, October 13 at 1 pm ET, for his authoritative webinar, "The Internet of Evil Things: How to Detect and Secure Your Vulnerable Devices from the Mirai Botnet," There is no cost. Register at https://www.sans.org/webcasts/103182

TOP OF THE NEWS

Former NSA Contractor Arrested
Yahoo Scanned eMail for US Government
Details on Arizona Voter Registration System Breach

THE REST OF THE WEEK'S NEWS

Ad on Free Versions of Spotify Opened Malicious Sites
ICO Fines TalkTalk Over Customer Data Theft
Teenagers Arrested for Allegedly Operating Cyberattack-as Service Websites
Cerber Variant Tries to Terminate Database Server Processes
Android October Security Update
Prison Sentences for Pair Who Used Dridex to Drain Bank Accounts
Facebook Now Offers Opt-in Encryption for Mobile Messenger App

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*********************** Sponsored By Splunk ************************

As more workloads and applications migrate to the cloud, your next breach or insider attack will most likely have you digging for evidence in the cloud. That's where Splunk can help. Watch this webinar to see a model for cloud breach investigations and incident review scenarios for cloud-enabled and cloud-dependent enterprises using Splunk. http://www.sans.org/info/188912

***************************************************************************

TRAINING UPDATE

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |
https://www.sans.org/event/san-diego-2016

--SANS Munich Autumn 2016 | October 24-29, 2016 | Munich, Germany |
https://www.sans.org/event/munich-autumn-2016

--SANS Sydney 2016 | November 3-19, 2016 | Sydney, Australia |
https://www.sans.org/event/sydney-2016

--SANS London 2016 | November 12-21, 2016 | London, UK |
https://www.sans.org/event/london-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC |
https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV |
https://www.sans.org/event/las-vegas-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan |
https://www.sans.org/event/secure-japan-2017

***************************************************************************

TOP OF THE NEWS

Former NSA Contractor Arrested (October 5, 2016)

In August, the FBI arrested a former NSA contractor employee as part of an investigation into the theft of classified information. Harold Thomas Martin III has been charged with theft of government property and unauthorized removal and retention of classified materials after law enforcement agents found top-secret documents in his home and in his car.


[Editor Comments ]



[Pescatore ]
You probably knew this kind of thing was inevitable when in 2013, after the Snowden breach, the Director of NSA said the focus was on reducing the number of sys admins by 90% vs. stepping up monitoring of and controls on privileged user accounts. While a really determined malicious sys admin can be very hard to detect, privileged account management and database activity monitoring tools are in use by many large organizations to catch the less determined quickly and in many cases notice the more determined in months rather than years.

Read more in:

New York Times: N.S.A. Contractor Arrested in Possible New Theft of Secrets
-http://www.nytimes.com/2016/10/06/us/nsa-leak-booz-allen-hamilton.html

FCW: FBI arrests contractor for stealing secrets
-https://fcw.com/articles/2016/10/05/fbi-booz-contractor-arrest.aspx

Computerworld: FBI arrests and NSA contractor suspected of stealing documents, hacking tools
-http://www.computerworld.com/article/3128245/security/fbi-arrests-an-nsa-contrac
tor-suspected-of-stealing-documents-hacking-tools.html


DoJ: Government Contractor Charged with Removal of Classified Materials and Theft of Government Property
-https://www.justice.gov/usao-md/pr/government-contractor-charged-removal-classif
ied-materials-and-theft-government-property

Yahoo Scanned eMail for US Government (October 4 & 5, 2016)

According to Reuters, Yahoo created a tool to scan all customers' incoming emails for a certain set of characters at the behest of US intelligence. There is speculation that this is the first instance of a US Internet company agreeing to comply with a government demand to scanning all incoming messages. Former employees say that some senior executives were unhappy with the company's decision to comply with the demand. Alex Stamos, who at the time was Yahoo's CISO, left that company in June 2015.


[Editor Comments ]



[Pescatore ]
This is a good cautionary tale to use in your discussions with management, *not* because Yahoo cooperated with government demands for surveillance but because the Yahoo CEO showed a continuing pattern of ignoring CISO recommendations and choosing to accept high risks to avoid "inconveniencing" users. At just about the same time Yahoo made those decisions, its prime competitor Google was going the opposite way, "inconveniencing" users to protect them and their data. Even looking at it strictly from a financial perspective, it is clear who made the right business decisions.


[Honan ]
This issue could potentially reignite the EU and US debate over privacy of EU citizens when using US service providers. The Irish Data Protection Commissioner has launched an investigation into this issue as Yahoo!'s European HQ is located in Dublin, Ireland.
-https://www.rte.ie/news/business/2016/1005/821731-irish-data-chief-to-look-into-
yahoo-mail-scanning/



[Northcutt ]
The first shot across the bow on a reduced price for Yahoo allegedly happened yesterday, (which coincidently resembles Verizon's original bid). I have compiled a document tracking all aspects of the story, since it appears this event may help us quantify the cost of cybersecurity failure in a M&A situation.

-https://www.thestreet.com/story/13845519/1/verizon-vz-stock-down-reduces-offer-f
or-yahoo-by-1-billion.html


-https://securitywa.blogspot.com/2016/09/yahoo-verizon-breach-impact-on-future-m.
html


Read more in:

Reuters: Exclusive: Yahoo secretly scanned customer emails for U.S. intelligence - sources
-http://www.reuters.com/article/us-yahoo-nsa-exclusive-idUSKCN1241YT

Ars Technica: Yahoo's CISO resigned in 2015 over secret e-mail search tool ordered by feds
-http://arstechnica.com/tech-policy/2016/10/report-fbi-andor-nsa-ordered-yahoo-to
-build-secret-e-mail-search-tool/


Washington Post: Yahoo helps the government read your emails. Just following orders, they say.
-https://www.washingtonpost.com/lifestyle/style/yahoo-helps-the-government-read-y
our-emails-just-following-orders-they-say/2016/10/05/05648894-8b01-11e6-875e-2c1
bfe943b66_story.html

Details on Arizona Voter Registration System Breach (October 5, 2016)

Arizona's Secretary of State says that the breach of its voter registration system came via an email that appeared to be from an employee. Speaking at the Cyber Summit in Cambridge, Massachusetts, Michele Reagan said the intruders accessed voter data, but not vote tallying mechanisms. She also said that as soon as the breach was detected, they took the whole system offline.


[Editor Comments ]



[Murray ]
Jeh Johnson, Director of Homeland testified to "a limited number" of "intrusions."
-http://www.breitbart.com/2016-presidential-race/2016/09/27/dhs-chief-jeh-johnson
-confirms-successful-cyber-intrusions-into-voter-registration-rolls/

One infers that this is not an isolated incident.

Read more in:

CNBC: Email that hacked AZ voter registration looked like an employee, official says
-http://www.cnbc.com/2016/10/05/email-that-hacked-az-voter-registration-looked-li
ke-an-employee-said-official.html



*************************** SPONSORED LINKS *****************************

1) FREE DUMMIES eBOOK - Accelerate Incident Response with NetFlow Analysis! Learn best practices today! http://www.sans.org/info/188917

2) Join Bugcrowd, SANS, and a customer panel to discuss the momentum behind crowdsourced security. http://www.sans.org/info/188922

3) SANS 2016 Security Analytics & Intelligence Survey is now OPEN! Take the survey and enter to win a $400 Amazon Gift Card: http://www.sans.org/info/188927

******************************************************************************

THE REST OF THE WEEK'S NEWS

Ad on Free Versions of Spotify Opened Malicious Sites (October 6, 2016)

Spotify has fixed a problem that was allowing advertisements to open malicious websites in users' browsers. The issue affected users running the free version of Spotify's music service on Windows, Mac, and Linux operating systems. Spotify says the issue was traced to a singe ad that has since been removed.


[Editor Comments ]



[Honan ]
If media organisations want to make money from promoting adverts through their websites or their services then they need to be more proactive in ensuring content from the ad networks do not damage their customers. Otherwise these services will see more and more customers using adblockers and suffering a subsequent hit in their online revenue.

Read more in:

BBC: Spotify ads 'launched virus pop-ups'?
-http://www.bbc.com/news/technology-37573815

Telegraph: Spotify has been serving computer viruses to listeners
-http://www.telegraph.co.uk/technology/2016/10/06/spotify-has-been-sending-comput
er-viruses-to-listeners/

ICO Fines TalkTalk Over Customer Data Theft (October 5 & 6, 2016)

The UK Information Commissioner's Office (ICO) has fined telecommunications company TalkTalk u400,000 (US $497,000) for inadequate security resulting in the theft of customer data. The incident occurred in October 2015. The attackers were able to access the personal information of more than 156,000 TalkTalk customers; roughly 16,000 of those records included bank account information. If TalkTalk pays the fine by November 1, 2016, it will be reduced by 20 percent.


[Editor Comments ]



[Honan ]
It is interesting to note that the penalty issued by the ICO was for failure to "take appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data" which the ICO pointed to "The Group was operating outdated database software that was affected by a bug for which a fix had been made available over three and a half years before the cyber-attack" and that "the Group failed to undertake appropriate proactive monitoring activities to discover vulnerabilities". More details are available in the ICO report
-https://ico.org.uk/media/action-weve-taken/mpns/1625131/mpn-talk-talk-group-plc.
pdf


Read more in:

BBC: TalkTalk fined u400,000 for theft of customer details
-http://www.bbc.com/news/business-37565367

V3: TalkTalk fine: Firm will have to pay only u320,000 if it coughs up early
-http://www.v3.co.uk/v3-uk/news/2473121/talktalk-fined-record-gbp400-000-for-2015
-hack

Teenagers Arrested for Allegedly Operating Cyberattack-as Service Websites (October 5 & 6, 2016)

Authorities have arrested two teenagers for their alleged involvement in the Lizard Squad and PoodleCorp hacking groups. The two young men, Zachary Buchta and Bradley Jan Willem van Rooy, allegedly ran websites that offered cyberattack as a service. Buchta was arrested in September in Maryland, and van Rooy was arrested in the Netherlands, where he remains in custody. The US Department of Justice has charged them with conspiracy to cause damage to protected computers.

Read more in:

Dark Reading: Two Teenagers Arrested For Alleged Cyberattack-For-Hire Services
-http://www.darkreading.com/attacks-breaches/two-teenagers-arrested-for-alleged-c
yberattack-for-hire-services/d/d-id/1327112?


KrebsOnSecurity: Feds Charge Two in Lizard Squad Investigation
-https://krebsonsecurity.com/2016/10/feds-charge-two-in-lizard-squad-investigatio
n/


DoJ: American and Dutch Teenagers Arrested on Criminal Charges for Allegedly Operating International Cyber-Attack-For-Hire Websites
-https://www.justice.gov/usao-ndil/pr/american-and-dutch-teenagers-arrested-crimi
nal-charges-allegedly-operating

Cerber Variant Tries to Terminate Database Server Processes (October 5, 2016)

A new version of Cerber ransomware takes the additional step of killing processes that are associated with database servers. If database files are being used while ransomware tries to encrypt them, the malware would be prevented from accessing those files. The new Cerber variant attempts to terminate those processes to gain access to as many files as possible.


[Editor Comments ]



[Williams ]
The bad news here is that this represents an (inevitable) evolution in ransomware development. The good news here is that when ransomware shuts down your database processes in advance of encrypting files, your operations monitoring should pick up the attack nearly immediately, making the presence of the ransomware more obvious. Organizations should already be backing up critical databases regularly, but now is a good time to double check that this is happening. Also test your operations monitoring to be sure it will notice ransomware-disabling database processes.

Read more in:

Computerworld: Cerber ransomware kills processes need to access data
-http://www.computerworld.com/article/3127602/security/cerber-ransomware-kills-pr
ocesses-needed-to-access-data.html

Android October Security Update (October 5, 2016)

Google's Android security bulletin for October 2016 includes fixes for 78 vulnerabilities. Seven have been deemed critical. Three of those critical flaws are in Qualcomm components.

Read more in:

eWeek: Google Patches Android for 78 Vulnerabilities in October Update
-http://www.eweek.com/security/google-patches-android-for-78-vulnerabilities-in-o
ctober-update.html

Prison Sentences for Pair Who Used Dridex to Drain Bank Accounts (October 5, 2016)

Two men have been found guilty of conspiracy to possess false identification and conspiracy to launder money and have been sentenced to prison. Pavel Gincota and Ion Turcan used the Dridex banking Trojan to steal than £2.5 million (US $3.1 million). They were sentenced in the UK.

Read more in:

The Register: Moldovan Dridex millionaires to spend 12 years in jail
-http://www.theregister.co.uk/2016/10/05/moldovan_miscreants_made_millions_mannin
g_malware_mischief/


Daily Mail: Moldovan conmen who laundered millions of pounds ...
-http://www.dailymail.co.uk/news/article-3823455/Moldovan-conmen-laundered-millio
ns-pounds-stole-using-virus.html

Facebook Now Offers Opt-in Encryption for Mobile Messenger App (October 5, 2016)

Facebook is now offering an opt-in encryption for its Messenger mobile app. The "Secret Conversations" feature allows users to send messages that no one but the sender and the recipient will be able to read. It also allows senders to set a destruction time of between five seconds and one day for sent messages.

Read more in:

ZDNet: Facebook rolls out opt-in encryption for 'secret' Messenger chats
-http://www.zdnet.com/article/facebook-rolls-out-opt-in-encryption-for-secret-mes
senger-chats/


Christian Science Monitor: Facebook launches encryption option for Messenger
-http://www.csmonitor.com/Technology/2016/1005/Facebook-launches-encryption-optio
n-for-Messenger


INTERNET STORM CENTER TECH CORNER

Please Report Any Hurricane Matthew Related Malware/Scams
-https://isc.sans.edu/contact.html

SSL Requests to Non-SSL Web Servers
-https://isc.sans.edu/forums/diary/SSL+Requests+to+nonSSL+HTTP+Servers/21551/

Insulin Pump Vulnerablities
-https://community.rapid7.com/community/infosec/blog/2016/10/04/r7-2016-07-multip
le-vulnerabilities-in-animas-onetouch-ping-insulin-pump

SSH Konami Codes
-http://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-
ssh-control-sequences

Cyber Security Awareness Month
-https://securingthehuman.sans.org/blog/2016/10/02/week01-kicking-off-ncsam/

OpenJPEG Flaw
-http://blog.talosintel.com/2016/09/vulnerability-spotlight-jpeg2000.html

Securing the Human Newsletter
-https://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201610_en.pdf

"Security Fatigue"
-https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-compute
r-users-feel-hopeless-and-act-recklessly

"Selfi Pay" Facial Recognition
-http://www.theregister.co.uk/2016/10/05/mastercard_selfie_pay/

"MarsJoke" Ransomware Decrypted
-https://threatpost.com/researchers-break-marsjoke-ransomware-encryption/121022/

More Honeypot Fun
-https://isc.sans.edu/forums/diary/Checking+my+honeypot+day/21561/

OS X Webcam Exploit
-https://objective-see.com/products/oversight.html

iOS 10 Private Browsing
-https://www.intaforensics.com/2016/09/30/ios-10-private-browsing-how-private-is-
it/

Hacked Steam Accounts Used to Spread Malware
-http://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-re
mote-access-trojan/



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create