Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #83

October 18, 2016

TOP OF THE NEWS

ICS-CERT Advisory Warns Sierra Wireless Products Vulnerable to Mirai Malware
IBM Forces Takedown of Proof-of-Concept Exploit Code for Patched Vulnerability
Data Thieves Hit Republican Senatorial Committee Website

THE REST OF THE WEEK'S NEWS

UK Intelligence Agencies Gathered Citizens' Data Improperly for Years
Retired General Who Disclosed US Stuxnet Role Pleads Guilty to Lying to FBI During Investigation of Classified Info Leak
US Considering Responses to Russia's Alleged Interference in Election
Ghost Push Malware Affects Android Versions 5 and Older
US Dept. of Justice Wants Court to Reconsider Decision Regarding Data Stored on Foreign Servers
Chrome Updated to Version 54
ENISA Cybersecurity Exercise Concludes
Python Ransomware Creates Unique Keys to Encrypt Files
Google Releases Transparency Report for First Half of 2016

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


************************* Sponsored By Splunk ***************************

As more workloads and applications migrate to the cloud, your next breach or insider attack will most likely have you digging for evidence in the cloud. That's where Splunk can help. Watch this webinar to see a model for cloud breach investigations and incident review scenarios for cloud-enabled and cloud-dependent enterprises using Splunk.
http://www.sans.org/info/189137

***************************************************************************

TRAINING UPDATE

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA | https://www.sans.org/event/san-diego-2016

--SANS Munich Autumn 2016 | October 24-29, 2016 | Munich, Germany | https://www.sans.org/event/munich-autumn-2016

--Pen Test HackFest Summit & Training | Crystal City, VA | November 2-9, 2016 | https://www.sans.org/event/pen-test-hackfest-2016

--SANS Sydney 2016 | November 3-19, 2016 | Sydney, Australia | https://www.sans.org/event/sydney-2016

--Healthcare Cybersecurity Summit & Training | November 14-21, 2016 | Houston, TX | https://www.sans.org/event/healthcare-cyber-security-summit-2016

--SANS London 2016 | November 12-21, 2016 | London, UK | https://www.sans.org/event/london-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

***************************************************************************

TOP OF THE NEWS

ICS-CERT Advisory Warns Sierra Wireless Products Vulnerable to Mirai Malware (October 14 and 17, 2016)

Certain products made by Sierra Wireless are vulnerable to being hijacked by the Mirai botnet malware. Sierra Wireless is notifying customers to change default passwords for their AirLink gateway products. The US Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory regarding the affected Sierra Wireless products.

[Editor Comments ]



[Skoudis ]
This is big, folks. And it is sad that in 2016 we have malware still spreading to critical systems via default passwords. The Ars Technica article points out that telnet is still in use in some of these devices too. Sigh.


[Ullrich ]
Any product with a known default password is vulnerable. A review of these type of attacks over the last few years shows that wireless "3G" gateways from various manufacturers (ZTE, Huawai among others) have been a sizable component of the scans.


[Shpantzer ]
One would think that at least some of Sierra's customers have a vested interest in metering access for payment, if not quality of service, and would change the default password to avoid theft of service, etc.

Read more in:

ZDNet: Mirai DDoS botnet powers up, infects Sierra wireless gateways
-http://www.zdnet.com/article/mirai-ddos-botnet-powers-up-infects-sierra-wireless
-gateways/


Ars Technica: beware of all-powerful DDoS malware infecting cellular gateways, feds warn
-http://arstechnica.com/security/2016/10/beware-of-all-powerful-ddos-malware-infe
cting-cellular-gateways-feds-warn/


ICS-CERT Alert: Sierra Wireless Mitigations Against Mirai Malware
-https://ics-cert.us-cert.gov/alerts/ICS-ALERT-16-286-01

IBM Forces Takedown of Proof-of-Concept Exploit Code for Patched Vulnerability (October 17, 2016)

IBM has pressured a researcher into removing published proof-of-concept exploit code for a vulnerability in IBM WebSphere versions 7, 8, 8.5, and 9. Maurizio Agazzini worked with IBM regarding disclosure of the vulnerability, which is caused by the applications deserializing untrusted data when the WASPPostParam cookie is present. The issue could lead to denial-of-service (DoS) conditions and remote code execution. IBM asked Agazzini to take down the exploit after it had already released a fix for the problem. IBM is concerned that some users have not deployed the patch.

[Editor Comments ]



[Williams ]
This move by IBM is likely to have a huge impact on independent researchers working with them on coordinated disclosures of vulnerabilities. However, "independent" researchers should also take heed. I've seen infosec researchers fired for inappropriate disclosure of vulnerabilities that embarrassed their full time employers. The researcher thought they were free to do as they wished since they found the vulnerability on their own time.

Read more in:

ZDNet: IBM pressures security researchers, vulnerability exploit code pulled
-http://www.zdnet.com/article/ibm-pressures-security-researchers-vulnerability-ex
ploit-code-pulled/


The Register: IBM: Yes, it's true. We leaned on researchers to censor exploit info
-http://www.theregister.co.uk/2016/10/14/ibm_asked_security_researcher_to_pull_ex
ploit_code/

Data Thieves Hit Republican Senatorial Committee Website (October 17, 2016)

According to information from a Dutch developer, cyber criminals have been skimming payment card information of people who made purchases or donations through the National Republican Senatorial Committee (NRSC) website.

Read more in:

KresbOnSecurity: Hackers Hit U.S. Senate GOP Committee
-https://krebsonsecurity.com/2016/10/hackers-hit-u-s-senate-gop-committee/

Ars Technica: Hacker Republican website skimmed donor credit cards for 6 months
-http://arstechnica.com/security/2016/10/hacked-republican-website-skimmed-donor-
credit-cards-for-6-months/



*************************** SPONSORED LINKS *****************************
1) FREE DUMMIES eBOOK - Accelerate Incident Response with NetFlow Analysis! Learn best practices today! http://www.sans.org/info/188917

2) Learn how Bug bounties provide an opportunity to level the cybersecurity playing field. Register: http://www.sans.org/info/189142

3) Packet Capture + Flow Analytics = Holistic Network Visibility. Tuesday, October 25th, 2016 at 1:00 PM Eastern. http://www.sans.org/info/189147
***************************************************************************

THE REST OF THE WEEK'S NEWS

UK Intelligence Agencies Gathered Citizens' Data Improperly for Years (October 17, 2016)

According to the UK's Investigatory Powers Tribunal, UK intelligence agencies improperly collected and stored citizens' data for years. The government collected bulk communications data and personal information datasets. The data collection procedures did not comply with the European Convention on Human Rights (ECHR). In 2015, an official policy established lawful means of data collection and storage.

Read more in:

BBC: UK spy agencies broke privacy rules says tribunal
-http://www.bbc.com/news/technology-37680058

V3: UK government conducted illegal bulk data collection for almost a decade
-http://www.v3.co.uk/v3-uk/news/2474326/uk-government-conducted-illegal-bulk-data
-collection-for-almost-a-decade



Retired General Who Disclosed US Stuxnet Role Pleads Guilty to Lying to FBI During Investigation of Classified Info Leak (October 17, 2016)

Retired Marine Corps General James E. Cartwright has pleaded guilty to lying to the FBI during an investigation into classified information leaked to journalists regarding Iran's nuclear program. Cartwright was vice chairman of the Joint Chiefs of Staff from 2007 until his retirement in 2011.

Read more in:

Washington Post: Former Joint Chiefs of Staff vice chairman pleads guilty to false statements in classified leak investigation
-https://www.washingtonpost.com/local/public-safety/former-joint-chiefs-of-staff-
vice-chairman-to-plea-to-false-statements-in-classified-leak/2016/10/17/a84b9986
-9483-11e6-9b7c-57290af48a49_story.html?tid=hybrid_collaborative_1_na


New York Times: James Cartwright, Ex-General, Pleads Guilty in Leak Case
-http://www.nytimes.com/2016/10/18/us/marine-general-james-cartwright-leak-fbi.ht
ml


CNN: Retired four-star general admits leaking top-secret info to media
-http://www.cnn.com/2016/10/17/politics/general-cartwright-pleads-guilty-leaking-
information/

US Considering Responses to Russia's Alleged Interference in Election (October 14, 2016)

According to NBC News, the CIA is preparing plans to launch a cyber attack against Russia. The action is reportedly being taken in response to Russia's alleged interference in the US election. US intelligence officials told NBC News that the CIA is expected to provide options for the White House to consider. A senior US intelligence official said that not responding to Russia's alleged activity would exact a price: "If you publicly accuse someone and don't follow it up with a responsive action, that may weaken the credible threat of your response capability." The US has responded with sanctions and litigation in instances of cyberattacks originating in China, Iran, and North Korea.

Read more in:

NBC News: CIA Prepping for Possible Cyber Strike Against Russia
-http://www.nbcnews.com/news/us-news/cia-prepping-possible-cyber-strike-against-r
ussia-n666636


CSMonitor: After blaming Russia for DNC hack, Obama weighs response
-http://www.csmonitor.com/World/Passcode/2016/1014/After-blaming-Russia-for-DNC-h
ack-Obama-weighs-response

Ghost Push Malware Affects Android Versions 5 and Older (October 17, 2016)

A Trojan horse program called Ghost Push is capable of rooting Android mobile operating systems through version 5, known as Lollipop. Google estimates that more than half of Android users are running version 5 and earlier. Ghost Push does not affect Android versions 6 and 7, Marshmallow and Nougat. The majority of new Ghost Push infections appear to be coming from pirated and other third-party apps. Ghost Push was first detected in 2014.

[Editor Comments ]



[Shpantzer ]
Once again, Android ecosystem fragmentation and open app store model are simultaneously its best and worst features.

Read more in:

ZDNet: Your Android smartphone might still be vulnerable to ancient Ghost Push Trojan
-http://www.zdnet.com/article/your-android-smartphone-is-probably-still-vulnerabl
e-to-the-ghost-push-trojan/


The Register: More than half of Androids susceptible to ancient malware
-http://www.theregister.co.uk/2016/10/17/ghost_push_android_malware/

SC Magazine: Ghost Push possesses Android devices; only version 6.0 is safe
-http://www.scmagazine.com/ghost-push-possesses-android-devices-only-version-60-i
s-safe/article/560464/

US Dept. of Justice Wants Court to Reconsider Decision Regarding Data Stored on Foreign Servers (October 14 and 17, 2016)

The US Department of Justice (DoJ) is appealing a July court decision that said DoJ does not have the legal right to demand data stored on a foreign server even with a federal warrant. US legislators who are co-sponsoring the International Communications Privacy Act (ICPA) have sent a letter to US Attorney General Loretta Lynch urging that DoJ turn its attention to legislation that would allow them access to data stored on foreign servers in limited cases under specific circumstances.

[Editor Comments ]



[Murray ]
Seems as though this is an issue to be settled by international cooperation or treaty rather than by a US court or legislation. It is difficult for an enterprise doing business across borders to comply with conflicting laws, but most attempt to comply with the most local jurisdiction.

Read more in:

Computerworld: Lawmakers question DOJ's appeal of Microsoft Irish data case
-http://computerworld.com/article/3131832/security/lawmakers-question-dojs-appeal
-of-microsoft-irish-data-case.html


Ars Technica: US renews fight for the right to seize content from the world's servers
-http://arstechnica.com/tech-policy/2016/10/us-renews-fight-for-the-right-to-seiz
e-content-from-the-worlds-servers/


Ars Technica: Petition for Rehearing and Rehearing en Banc
-http://arstechnica.com/wp-content/uploads/2016/10/fedsenbancmicrosoftirishserver
s.pdf


Hatch.senate.gov: Letter to Attorney General Lynch
-http://www.hatch.senate.gov/public/_cache/files/3e496a4b-fe64-423d-a48f-746e9f9b
8ea5/Letter%20to%20AG%20Lynch,%20October%2013,%202016.pdf

Chrome Updated to Version 54 (October 12 and 14, 2016)

Google's Chrome browser has been updated to version 54 in the stable channel. The newest version of Chrome addresses 21 security issues, six of which are considered high severity.

[Editor Comments ]



[Shpantzer ]
One good thing about Chrome is that it updates the plugins as well, which are a pain to patch at scale. Also, click-to-play for Flash is helpful.


[Northcutt ]
Interesting, my browser wants to do a v. 53 update and it is failing. Suggest organizations that rely on the Chrome browser wait a couple days. These things always get sorted out, but you may not want to be the first in line.

Read more in:

The Register: Google splats 21 bugs in Chrome 54 patch run
-http://www.theregister.co.uk/2016/10/14/google_splats_21_bugs_in_chrome_54_patch
_run/


Softpedia: Chrome 54 Released with Support for Custom HTML Tags
-http://news.softpedia.com/news/chrome-54-released-with-support-for-custom-html-t
ags-509230.shtml

ENISA Cybersecurity Exercise Concludes (October 14, 2016)

The Cyber Europe 2016 cybersecurity exercise concluded last week; 28 EU member states and Switzerland participated. The exercise began in April 2016 and political and economic policy pertinent to cybersecurity. According to the exercise's organizer, the European Union Agency for Network for Information Security (ENISA), "a full scenario was developed with actors, media coverage, simulated companies, and social media, bringing in the public affairs dimension associated with cyber crises so as to increase realism to a level never before seen in cyber-security exercises."

[Editor Comments ]


Read more in:

SC Magazine: 'Biggest ever' pan-European cyber-security exercise concludes today
-http://www.scmagazine.com/biggest-ever-pan-european-cyber-security-exercise-conc
ludes-today/article/548469/

Python Ransomware Creates Unique Keys to Encrypt Files (October 13 and 14, 2016)

Ransomware known as CryPy, because it written in the Python programming language, creates a unique key for each file it encrypts.

[Editor Comments ]



[Shpantzer ]
Segment your networks. Ransomware is the present and the future. It's too easy and too lucrative. I've had ransomware detonate in client networks before and after I deployed proper segmentation; it makes a difference.

Read more in:

ZDNet: Python ransomware encrypts files with unique keys one at a time
-http://www.zdnet.com/article/python-ransomware-encrypts-files-with-unique-keys-o
ne-at-a-time/


Securelist.com (Kaspersky blog): CryPy: ransomware behind Israeli lines
-https://securelist.com/blog/research/76318/crypy-ransomware-behind-israeli-lines
/

Google Releases Transparency Report for First Half of 2016 (October 13 and 14, 2016)

According to Google's most recent transparency report, which covers the first six months of 2016, it received nearly 45,000 requests for information regarding more than 76,000 accounts from governments around the world. While the volume of government requests Google receives for data from Google have risen, the proportion of those requests it complies with has remained steady at about 64 percent. The report also notes that the FBI lifted a gag order on a National Security letter issued in the second half of 2015.

Read more in:

The Hill: Google discloses FBI inquiry
-http://thehill.com/policy/technology/301125-google-discloses-fbi-inquiry

eWeek: Government Requests for Google User Data Rise Steadily
-http://www.eweek.com/security/government-requests-for-google-user-data-rise-stea
dily.html


blog.google: Building on Surveillance Reform
-https://blog.google/topics/public-policy/building-surveillance-reform/

INTERNET STORM CENTER TECH CORNER

PseudoDakrleech Uses Rig Exploit Kit to Spread Cerber
-https://isc.sans.edu/forums/diary/pseudoDarkleech+Rig+EK/21595/

Decoder.xls to Decode Word Malicious Macro
-https://isc.sans.edu/forums/diary/Analyzing+Office+Maldocs+With+Decoderxls/21601
/

Auditing SSH Servers
-https://github.com/arthepsy/ssh-audit

How Not To User HTML Purifier
-https://devwerks.net/blog/16/how-not-to-use-html-purifier/

Mozilla Users Reach 50% Https
-https://twitter.com/0xjosh/status/786971412959420424/photo/1

Retrieving LastPass Passwords From Memory
-https://techanarchy.net/2016/10/extracting-lastpass-site-credentials-from-memory
/

Yahoo MITM Due To Weak Crossdomain.xml Configuration
-https://github.com/JordanMilne/YMail-Pineapple


***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create