SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #81

October 11, 2016

---

TOP OF THE NEWS

Terrorism and Encryption: Charges Filed in London
Europe Drafting IoT Security Requirements
US Points Finger at Russia for DNC Hack

THE REST OF THE WEEK'S NEWS

People Who Make A Difference in Cybersecurity
Microsoft's New Windows Patching Model Starts This Month
France's TV5Monde Weathered an Attack Last Year
StrongPity APT Watering Hole Attacks
EFF Says Yahoo Spying Order Must be Declassified
UK Police Charge Another Suspect in ATM Malware Case
Johnson & Johnson Warns Patients of Insulin Pump Flaw

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored By AlienVault ************************

What is threat intelligence? Why is threat intelligence critical for organizations? Find out the answer to these questions and many more in this beginner's guide to threat intelligence: http://www.sans.org/info/188962

***************************************************************************

TRAINING UPDATE

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |
https://www.sans.org/event/san-diego-2016

--SANS Munich Autumn 2016 | October 24-29, 2016 | Munich, Germany |
https://www.sans.org/event/munich-autumn-2016

--SANS Sydney 2016 | November 3-19, 2016 | Sydney, Australia |
https://www.sans.org/event/sydney-2016

--SANS London 2016 | November 12-21, 2016 | London, UK |
https://www.sans.org/event/london-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC |
https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV |
https://www.sans.org/event/las-vegas-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan |
https://www.sans.org/event/secure-japan-2017

***************************************************************************

---

TOP OF THE NEWS

Terrorism and Encryption: Charges Filed in London (October 5 & 10, 2016)

Police in London, UK, have charged a man on six counts of terrorism, two of which involve the use of encryption. Samata Ullah was charged with terrorist training that involved "provid
[ing ]
instruction or training in the use of encryption programmes" to a person he knew planned to use it to prepare for or commit a terrorist act; and with preparation for terrorism, which involved assisting others in acts of terrorism by "researching an encryption program, developing an encrypted version of his blog site, and publishing the instructions around the use of programme on his blog site."


[Editor Comments ]


Read more in:

ZDNet: London police charge man with terrorism over use of encryption
-http://www.zdnet.com/article/london-police-charge-man-with-terrorism-over-use-of
-encryption/

Metropolitan Police: UPDATE: Man charged with terror offenses remanded in custody
-http://news.met.police.uk/news/man-charged-with-terror-offences-189511

Europe Drafting IoT Security Requirements (October 8, 2016)

The European Commission is drafting new laws aimed at improving security of the Internet of Things (IoT). The rules are a part of the European Commission's plan to rework its telecommunications laws.


[Editor Comments ]



[Pescatore ]
The medical machinery/devices and industrial control systems, have had over a decade to self-regulate and have failed. And those are industries selling to business. The current and future wave of "things" in the IoT is consumer-driven and built and sold by thousands of companies that can't even spell cybersecurity. The European Commission seems to be aiming at UL or Energy Star like certification program. If the "basic security hygiene" certification bar is high enough (a big "if"), that is a good starting point.

Read more in:

KrebsOnSecurity: Europe to Push New Security Rules Amid IoT Mess
-https://krebsonsecurity.com/2016/10/europe-to-push-new-security-rules-amid-iot-m
ess/

US Points Finger at Russia for DNC Hack (October 7, 2016)

The US Department of Homeland Security (DHS) and the Office of the Director of National Intelligence have issued a joint statement stating their confidence that the Russian government is behind cyberattacks on US political organizations and state election boards. The statement says, "These thefts and disclosures are intended to interfere with the US election process." Read more in:

Ars Technica: US government: Russia behind hacking campaign to disrupt US elections
-http://arstechnica.com/tech-policy/2016/10/us-government-russia-behind-hacking-c
ampaign-to-disrupt-us-elections/

Computerworld: US lays blame on Russian government for election-related hacking
-http://www.computerworld.com/article/3128877/security/us-lays-blame-on-russian-g
overnment-for-election-related-hacking.html

ZDNet: US officially accuses Russia of political cyber attacks
-http://www.zdnet.com/article/us-officially-accuses-russia-of-political-cyber-att
acks/

DNI and DHS Joint Statement
-https://www.dni.gov/index.php/newsroom/press-releases/215-press-releases-2016/14
23-joint-dhs-odni-election-security-statement

---

*************************** SPONSORED LINKS *****************************

1) Attend the SANS Financial Services Cyber Security Briefing and Networking Lunch in NYC October 14th. http://www.sans.org/info/188967

2) They Can Run, But They Can't Hide: Real-Time Threat Hunting Using Passive DNS. Register: http://www.sans.org/info/188972

3) The State of Vulnerability Discovery - How Bug Bounties Are Actually Making a Difference. Learn More: http://www.sans.org/info/188977

******************************************************************************

---

THE REST OF THE WEEK'S NEWS

Microsoft's New Windows Patching Model Starts This Month (October 10, 2016)

Starting on Tuesday, October 11, 2016, Microsoft is moving to a rollup model for updates to Windows 7 SP1; Windows 8.1; Windows Server 2008 R2; Windows Server 2012; and Windows Server 2012 R2. Windows 10 updates have been cumulative since the operating system was introduced last year.

Read more in:

Computerworld: Microsoft fleshes out seismic change to Windows patching
-http://www.computerworld.com/article/3129473/windows-pcs/microsoft-fleshes-out-s
eismic-change-to-windows-patching.html

Microsoft Technet Blog: More on Windows 7 and Windows 8.1 servicing changes
-https://blogs.technet.microsoft.com/windowsitpro/2016/10/07/more-on-windows-7-an
d-windows-8-1-servicing-changes/

France's TV5Monde Weathered an Attack Last Year (October 10, 2016)

In April 2015, France's TV5Monde was targeted by a cyberattack that caused all 12 of the network's stations to go off the air for several hours. TV5Monde director-general, Yves Bigot, said the active attack started on April 8, 2015, the day TV5Monde launched a new channel. One of the technicians who had helped with the launch of the new channel was able to identify the machine that was the locus of the attack and disconnect it from the Internet. The attackers had gained initial access to TV5Monde's systems on January 23, 2015; they conducted reconnaissance and used the information to customize malware to corrupt and destroy the network's operations hardware.

Read more in:

BBC: How France's TV5 was almost destroyed by 'Russian hackers'
-http://www.bbc.com/news/technology-37590375

The Register: TV5Monde was saved from airtime-KO hack by unplugging infected box
-http://www.theregister.co.uk/2016/10/10/tv5monde_hack/

StrongPity APT Watering Hole Attacks (October 10, 2016)

According to Kaspersky Lab, an Advanced Persistent Threat (APT) group known as StrongPity has been targeting cryptographic downloads. Over the summer, the group focused its activity on TrueCrypt and WinRAR, using watering hole attacks to lure users into downloading infected versions of the software.


[Editor Comments ]



[Williams ]
This story highlights why centralized software management is critically important. Attackers targeting unsuspecting users through trojaned encryption software underscores the risk we take in allowing users to download and install their own software. It is all too easy for users to fall victim to attacks such as this, while systems administrators are more likely to carefully evaluate downloads and download links. Organizations battling overly generous user permissions should use this as a teachable moment.


[Paller ]
IOW white listing through app stores makes sense.

Read more in:

Computerworld: StrongPity APT attack group booby-trapped WinRAR and TrueCrypt downloads
-http://www.computerworld.com/article/3129726/security/strongpity-apt-attack-grou
p-booby-trapped-winrar-and-truecrypt-downloads.html

EFF Says Yahoo Spying Order Must be Declassified (October 10, 2016)

In a blog post, the Electronic Frontier Foundation (EFF) said that the US government must disclose its order that compelled Yahoo to scan incoming email for certain sets of characters. The EFF wrote, "Section 402 of the USA FREEDOM Act, passed in June 2015, specifically requires government officials to 'conduct a declassification review of each decision, order or opinion issued' by the FISC 'that includes a significant construction or interpretation of any provision of law.'"


[Editor Comments ]



[Northcutt ]
This law is one year old. So there is no case law for something this massive. The judge on this case will have a lot of leeway.

Read more in:

ZDNet: US required to declassify Yahoo spying order, say experts
-http://www.zdnet.com/article/us-required-to-declassify-yahoo-spying-order-say-ex
perts/

EFF: USA Freedom Act Requires Government to Declassify Any Order to Yahoo
-https://www.eff.org/deeplinks/2016/10/usa-freedom-act-requires-government-declas
sify-any-order-yahoo

UK Police Charge Another Suspect in ATM Malware Case (October 7, 2016)

Police in London, UK, have arrested a man for allegedly putting malware on ATMs. Ionut Emanual Leahu was extradited from Romania to face a charge of conspiracy to defraud. Two other people have already been sentenced to prison for their roles in the 2014 scheme in which more than ú1.5 million (US $1.85 million) was stolen.

Read more in:

The Register: London cops charge ATM malware hacker
-http://www.theregister.co.uk/2016/10/07/london_cops_charge_atm_malware_hacker/

City of London Police: Man charged with conspiracy to defraud
-https://www.cityoflondon.police.uk/news-and-appeals/Pages/Man-charged-with-consp
iracy-to-defraud--.aspx

Johnson & Johnson Warns Patients of Insulin Pump Flaw (October 4, 2016)

Johnson & Johnson is warning patients that a vulnerability in one of its insulin pumps could be exploited to alter dosages. J&J learned of the issue affecting their Animas OneTouch Ping device from Jay Radcliffe in April 2016. The vulnerability lies in the communication between a wireless remote control for the device that allows setting changes; that traffic is not encrypted and could be intercepted. In their letter to patients, J&J suggest several measures to guard against attacks.


[Editor Comments ]



[Pescatore ]
While scary, this is a pretty low risk vulnerability. But, it is great seeing Johnson & Johnson have to do a broad disclosure to over 100,000 patients and doctors. The costs of disclosure are probably similar to a data breach, so this will be at least a $10 million event for them even before any lawsuits. Not that big a price, by pharma revenue standards, but since the FDA enforcement has been non-existent, this is a start. Even better will be seeing the hospitals and physicians recommending devices for implant start to ask about security *before* placing the order with that pharmaceutical sales rep.


[Williams ]
J&J says exploiting the flaw would require extreme technical expertise. Reverse engineering an unencrypted wireless protocol is anything but technical. Also, attackers communicate with wireless devices at ranges much longer than designed by the manufacturer using amplifiers and better antennas. Manufacturers should stop hiding behind "close access is required" and "extremely technical exploit" and start being realistic with their customers about worst case scenarios.

Read more in:

Reuters: J&J warns diabetic patients: Insulin pump vulnerable to hacking
-http://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e-idUSKCN1
2411L

---

INTERNET STORM CENTER TECH CORNER

First Hurricane Matthew Phish Impersonating Stripe
-https://isc.sans.edu/forums/diary/First+Hurricane+Matthew+related+Phish/21571/

Samsung Galaxy S6 "KNOXOut" Vulnerability
-http://media.wix.com/ugd/4e84e6_668d564cc447434a9a8fda3c13a63f6a.pdf

Windows 10 Anniversary Edition Improves IE 10 XSS Protection
-http://mksben.l0.cm/2016/10/xss-via-referrer.html

Radare's Rehash Utility Can calcula'te File Entropy
-https://isc.sans.edu/forums/diary/Radare2+rahash2/21577/

Spoofing IPs Still Works
-https://idea.popcount.org/2016-09-20-strange-loop---ip-spoofing/

EU Commission Plans IoT Labeling
-http://www.euractiv.com/section/innovation-industry/news/commission-plans-cybers
ecurity-rules-for-internet-connected-machines/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create