SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #85

October 25, 2016

TOP OF THE NEWS

Fixing the IoT Problem Reliably
Compromised IoT Devices Part of DDoS Attack on DNS Service Provider Dyn
Hangzhou Xiongmai Recalls Webcams
IoT Botnet: Finding and Compromising Vulnerable Devices
Apple Updates iOS to 10.1, Fixes Malicious JPEG Flaw (Install it Now!)
Inside the OPM Attack

THE REST OF THE WEEK'S NEWS

Audit Report Documents Terrible CyberSecurity Performance at Interior Department
Microsoft's New Patch Model: Risks and Benefits
Rowhammer a Threat to Some Android Devices
Alleged LinkedIn Attacker Indicted
FS-ISAC's FSARC Will Focus on Deep Analysis and Long-Term Strategies for Resilience
Automobile Makers Urged to Improve Vehicle Cybersecurity

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored By Sophos Inc. ***********************

NEW Anti-exploit technology, Intercept X, designed to stop ransomware before it takes hold of your system. Born next-gen, Sophos Intercept X offers an additional layer of protection and totally new approach to endpoint security. See it in action: http://www.sans.org/info/189347

***************************************************************************

TRAINING UPDATE

--Pen Test HackFest Summit & Training | Crystal City, VA | November 2-9, 2016 | https://www.sans.org/event/pen-test-hackfest-2016

--SANS Sydney 2016 | November 3-19, 2016 | Sydney, Australia | https://www.sans.org/event/sydney-2016

--Healthcare Cybersecurity Summit & Training | November 14-21, 2016 | Houston, TX | https://www.sans.org/event/healthcare-cyber-security-summit-2016

--SANS London 2016 | November 12-21, 2016 | London, UK | https://www.sans.org/event/london-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands | https://www.sans.org/event/amsterdam-2016

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

***************************************************************************

---

TOP OF THE NEWS

Fixing the IoT Problem

Consumers are being blamed for not changing passwords and thereby causing last week's massive DDoS attacks. That's wrong as the following stories and comments in this week's Top of the News show. A long term, reliable solution will come only from government changing its procurement policies (not regulations). Government buys massive amounts of consumer goods (think military PX) as well as office equipment and industrial equipment similarly vulnerable for nearly all the same reasons. A government procurement program calling on all procurement offices to "Just say No to vulnerable IoT devices" would fix the problem in months and keep it fixed. That's one of the three "great opportunities for cybersecurity improvements" that the Obama administration left for the next administration.

Compromised IoT Devices Part of DDoS Attack on DNS Service Provider Dyn (October 21, 22, and 23, 2016)

A massive distributed denial-of-service (DDoS) attack against DNS service provider Dyn caused several major websites, including Twitter, Amazon, Spotify, and Netflix, to be unavailable last Friday. Dyn experienced three waves of attacks. The US Department of Homeland Security (DHS) is investigating. The attack was powered in part by compromised Internet of Things (IoT) devices.

[Editor Comments ]



[Murray ]
These devices have become a fundamental, pervasive, and persistent vulnerability in the Internet. They may well be an existential vulnerability.


[Williams ]
This attack impacted so many top tier sites because those sites all trusted Dyn as their only provider for DNS services, assuming that it was "too big to fail."

Read more in:

KrebsOnSecurity: Hacked Cameras, DVRs Powered Today's Massive Internet Outage
-https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-i
nternet-outage/

KrebsOnSecurity: DDoS on Dyn Impacts Twitter, Spotify, Reddit
-https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/

Washington Post: 'Internet of Things' compounded Friday's hack of major websites
-https://www.washingtonpost.com/news/the-switch/wp/2016/10/21/someone-attacked-a-
major-part-of-the-internets-infrastructure/

Christian Science Monitor: How hackers carried out the DDoS cyber-attack with DVRs and cameras
-http://www.csmonitor.com/Technology/2016/1022/How-hackers-carried-out-the-DDoS-c
yber-attack-with-DVRs-and-cameras

ZDNet: After massive cyberattack, shoddy smart device security comes back to haunt
-http://www.zdnet.com/article/blame-the-internet-of-things-for-causing-massive-we
b-outage/

Wired: What We Know About Friday's Massive East Coast Internet Outage
-https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/

Hangzhou Xiongmai Recalls Webcams (October 24, 2016)

Chinese manufacturing company Hangzhou Xiongmai has recalled several models of webcams that were allegedly compromised and used in a distributed denial-of-service (DDoS) attack against managed domain name system provider Dyn. The devices were vulnerable largely because users did not change default passwords, an issue Xiongmai says it patched in 2015. The company says it has developed a firmware update for older products.

[Editor Comments ]



[Ullrich ]
The statement that users didn't change the default password is wrong. The Mirai botnet is exploiting a "backdoor" password that cannot be changed. Only a firmware update will help. Right now, I don't see the firmware update available from XM. While XM was somewhat singled out in this event, many other devices suffer from hard coded "backdoor" or "support" passwords that the user cannot change. Just as in the XM case, these passwords are not advertised by the manufacturer, but easily retrieved by analyzing the firmware. Once discovered, updated firmware often just implements a different password instead of eliminating this function.


[Honan ]
This issue highlights a bigger problem that I feel is often overlooked with IoT. We struggle to convince companies and individuals to keep their PCs patched. This is going to be a bigger challenge in IoT. We need to make the Internet more resilient as more and more of these devices will become security threats over time.


[Liston ]
: Default passwords combined with uPNP is a disaster in the making.

Read more in:

ZDNet: Chinese tech giant recalls webcams used in Dyn cyberattack
-http://www.zdnet.com/article/chinese-tech-giant-recalls-webcams-used-in-dyn-cybe
rattack/

The Register: Chinese electronics biz recalls webcams at heart of botnet DDoS woes
-http://www.theregister.co.uk/2016/10/24/chinese_firm_recalls_webcams_over_mirai_
botnet_infection_ddos_woes/

Computerworld: Chinese security firm recalls camera products linked to massive DDoS attack
-http://computerworld.com/article/3134548/security/chinese-firm-recalls-camera-pr
oducts-linked-to-massive-ddos-attack.html

IoT Botnet: Finding and Compromising Vulnerable Devices (October 21 and 24, 2016)

Attackers were able to compromise IoT devices by searching for IP addresses associated with them and exploiting unchanged default passwords or using services like SSH and telnet.

[Editor Comments ]



[Shpantzer ]
You can find IoT devices via DNS as well. Within 20 minutes of surfing the DNS logs at a client site, I found a device talking to a .kr domain, and it turned out to be a TV set in an IT executive's office... See also openDNS' report on IoT here:
-http://info.opendns.com/rs/033-OMP-861/images/OpenDNS-2015-IoT-Report.pdf


[Pescatore ]
Until manufacturers can be forced to make product security and safety the top concern, we really need a public service ad campaign to get consumers to internalize "Wash all fruit and vegetables when I bring them home from the grocery store, change all passwords on the electronics Amazon vans drop off at my front door."


[Williams ]
While it's tempting to blame "dumb users" for not changing their default passwords, some of the devices used in the Mirai IoT botnet lack the ability for users to easily do so. Some lack the 'passwd' binary used to update passwords on the device. We don't seriously expect users to edit the password files by hand, do we? Before you answer, note that these same devices also lack an editor to do so. It will take cooperation from manufacturers to fix the default password problem.

Read more in:

CNET: Why it was so easy to hack the cameras that took down the web
-https://www.cnet.com/how-to/ddos-iot-connected-devices-easily-hacked-internet-ou
tage-webcam-dvr/

Apple Updates iOS to 10.1, Fixes Malicious JPEG Flaw

Apple has updated its mobile operating system to iOS 10.1 to fix a number of security issues, including a vulnerability that allows a malicious JPEG to execute code. The update is available for all devices that run iOS 10.

Read more in:

Ars Technica: iOS 10.1 arrives with iPhone 7 Plus Portrait mMode and lots of fixes
-http://arstechnica.com/apple/2016/10/ios-10-1-arrives-with-iphone-7-plus-portrai
t-mode-and-lots-of-fixes/

Graham Cluely: A booby-trapped JPEG could infect your phone. Upgrade to iOS 10.1 now.
-https://www.grahamcluley.com/boobytrapped-jpeg-infect-iphone-upgrade-ios-10-1/

Inside the OPM Attack (October 23, 2016)

This article offers an account of the massive breach at the US Office of Personnel Management (OPM), from its detection, to the analysis that determined the scope and depth of the attack, to the realization that the agency's most sensitive data had been exfiltrated. The breach led to the Cybersecurity Sprint, a White House initiative to make noticeable improvements to federal cybersecurity in just one month, which in turn led to the development of the Cybersecurity National Action Plan (CNAP).

[Editor Comments ]



[Murray ]
This well researched and written article is a "must read." One lesson is that if you are a large government or business enterprise, behave as though there are compromised users and systems in your network. Second is the value of a cross-enterprise view-point.


[Pescatore ]
The article is long on the details of figuring how bad the compromise was and short on lessons learned about how it could have been either avoided (other than talk of two factor authentication) or detected much sooner. One key tell: they didn't notice something on the inside was talking to something suspicious on the outside until long after the damage had occurred. Another was not focusing efforts on a "crown jewels" server they call a "jump box" - an administrative server in the path of all logins.


[Shpantzer ]
See the report on the OPM hack from the US House of Representatives:
-https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-t
he-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf

Read more in:

Wired: Inside the Cyberattack That Shocked the US Government
-https://www.wired.com/2016/10/inside-cyberattack-shocked-us-government/

---

*************************** SPONSORED LINKS *****************************
1) Ready to Replace AV? Criteria to Evaluate NGAV Solutions. Register to learn more: http://www.sans.org/info/189352

2) Intercept X, a completely new approach to endpoint security. Learn more: http://www.sans.org/info/189357

3) Find out what you need to know about protecting physical assets in your OT environment. Register: http://www.sans.org/info/189362
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Audit Report Documents Terrible CyberSecurity Performance at Interior Department (October 24, 2016)

In a recently-released audit report from the Interior Department's Inspector General (IG), the agency was criticized for allowing 90,000 critical and high-risk vulnerabilities (in just three bureaus) to remain unpatched for two years. The report also found the agency to be years away from achieving a "steady state" of the Department of Homeland Security's (DHS) continuous diagnostics and mitigation (CDM) after nearly three years of effort. Critics of the report say that the tests were run over a year ago and that the vulnerabilities have since been fixed (after they were identified by the IG). What the critics don't say is that another test run just a few months ago will show exactly the same problems persist at the agency. Critics also say that agency CDM efforts are operating on a schedule determined largely by DHS and government contractors, but that is not a valid claim as Pescatore notes below.

[Editor Comments ]



[Paller ]
This report demonstrates a level of expertise and analysis that is all too rare in government. It also reinforces a pattern we have begun to measure in which federal agency cybersecurity skills are improving more rapidly in the IG groups than in the cybersecurity staffs. The difference seems to be that the IGs are asking their people to develop advanced technical excellence and investing in their training to make that possible.


[Pescatore ]
The DHS CDM program has been funded for 3 years now and the program has had so many problems in so many areas that you really can't place all the blame on any single agency for slow progress in rolling out the official CDM capabilities. However, there was also *no* requirement that agencies wait for the CDM program to address basic security hygiene and improve configuration management and vulnerability assessments. Too many agencies used DHS's many CDM stumbles as a reason for inaction - and the 2015 "Security Sprint" pointed that out.

Read more in:

Federal Computer Week: Interior CDM effort 'immature' says IG
-https://fcw.com/articles/2016/10/19/cdm-interior-immature.aspx

Executive Gov: Inspector General Reviews Interior Dept's Continuous Diagnostics & Mitigation Program for 3 Bureaus' IT Systems
-http://www.executivegov.com/2016/10/inspector-general-reviews-interior-depts-con
tinuous-diagnostics-mitigation-program-for-3-bureaus-it-systems/

Federal News Radio: Pulling back the covers on a critical IG report about Interior's cyber efforts
-http://federalnewsradio.com/reporters-notebook-jason-miller/2016/10/pulling-back
-covers-critical-ig-report-interiors-cyber-efforts/

Microsoft's New Patch Model: Risks and Benefits (October 24, 2016)

With this month's security updates, released two weeks ago, Microsoft moved to a cumulative rollup model for Windows. On the second Tuesday of each month, Microsoft will release a bundle for consumers that includes all the security and non-security updates for the month as well as earlier fixes. It will also release a bundle for enterprise customers that contains only the security patches for that month. On the third Tuesday of the month, Microsoft will release a preview of the non-security updates for the following month. The changes are meant to make patching simpler and to help ensure that patches are applied correctly.

[Editor Comments ]



[Williams ]
Some organizations are increasing patch testing times since patching is now all or nothing. This new patching model also impacts vulnerability researchers as it complicates the process of discovering which files were patched as part of a particular vulnerability.


[Liston ]
My wife recently bought me a t-shirt because she said that the caption on the front sounded like something I would say: "Sure... let's do this in the stupidest way possible because it's convenient for you." That pretty much sums up my feelings about the new patch model. Bundling everything together makes all patches fail when one fails... it also makes customers unable to apply all patches in the bundle if one patch is incompatible with their environment. It is, however, convenient for Microsoft...

Read more in:

Dark Reading: Microsoft's New Patch Tuesday Model Comes With Benefits And Risks
-http://www.darkreading.com/endpoint/microsofts-new-patch-tuesday-model-comes-wit
h-benefits-and-risks/d/d-id/1327251

Rowhammer a Threat to Some Android Devices (October 23 and 24, 2016)

A physical flaw in RAM chips could be exploited to compromise Android devices. The proof-of-concept attack gained root access to numerous Android devices without exploiting a software flaw. The attack exploits a vulnerability in RAM chips known as Rowhammer, which can be used to alter memory it should not be able to access. The attack targets Android devices' dynamic random access memory by continually accessing cells in a row adjacent to the one under attack; resulting voltage fluctuations could cause those bits to flip.

Read more in:

Wired: Elegant Physics (and Some Down and Dirty Linux Tricks) Threaten Android Phones
-https://www.wired.com/2016/10/elegant-physics-dirty-linux-tricks-threaten-androi
d-phones/

Computerworld: Physical RAM attack can root Android and possible other devices
-http://computerworld.com/article/3134624/security/physical-ram-attack-can-root-a
ndroid-and-possibly-other-devices.html

Ars Technica: Using Rowhammer bitflips to root Android phones is now a thing
-http://arstechnica.com/security/2016/10/using-rowhammer-bitflips-to-root-android
-phones-is-now-a-thing/

The Register: App proves Rowhammer can be exploited to root Android phones - and there's little Google can do to fully kill it
-http://www.theregister.co.uk/2016/10/24/rowhammer_android/

Alleged LinkedIn Attacker Indicted (October 21 and 24, 2016)

The US Department of Justice (DoJ) has unsealed an indictment alleging that Yevgeniy Aleksandrovich Nikulin is responsible for series of cyberattacks that stole data from LinkedIn and Dropbox. The indictment lists charges of obtaining information from computers, causing damage to computers, trafficking in access devices, aggravated identity theft and conspiracy.

Read more in:

ZDNet: Feds indict hackers over LinkedIn Dropbox Attacks
-http://www.zdnet.com/article/feds-indict-hacker-over-linkedin-dropbox-attacks/

US Dept. of Justice: Yevgeniy Nikulin Indicted for Hacking LinkedIn, Dropbox and Formspring
-https://www.justice.gov/opa/pr/yevgeniy-nikulin-indicted-hacking-linkedin-dropbo
x-and-formspring

FS-ISAC's FSARC Will Focus on Deep Analysis and Long-Term Strategies for Resilience (October 24, 2016)

The Financial Services Information Sharing and Analysis Center (FS-ISAC) announced the formation of the Financial Systemic Analysis and Resilience Center (FSARC). FSARC will work closely with partners in government to conduct deep threat analysis and systems defense tailored to the financial sector. FSARC was developed by eight large banks, all members of FS-ISAC. While FS-ISAC "is focused on real-time threat intelligence sharing for incident response and prevention," FSARC will focus on analysis and developing long-term strategies.

Read more in:

Dark Reading: New Financial System Analysis and Resilience Center Formed
-http://www.darkreading.com/threat-intelligence/new-financial-system-analysis-and
-resilience-center-formed-/d/d-id/1327276?

FS-ISAC: FS-ISAC Announces the Formation of the Financial Systemic Analysis & Resilience Center (FSARC) (PDF)
-https://www.fsisac.com/sites/default/files/news/FS-ISAC%20Announces%20the%20Form
ation%20of%20the%20Financial%20Systemic%20Analysis%20%28FSARC%29.pdf

Automobile Makers Urged to Improve Vehicle Cybersecurity (October 24, 2016)

The US National Highway Traffic Safety Administration (NHTSA) has issued guidelines for automobile makers to use when designing computer systems for their vehicles. The guidelines, "Cybersecurity Best Practices for Modern Vehicles," provide best practices recommendations for automobile designers and manufacturers, but are not requirements.

[Editor Comments ]



[Northcutt ]
There are three basic ways to digest this information:
1) If you have the option of a qualified shade tree mechanic, maintain a car with points, plugs and condensers, best choice, if you can rely on your driving skills, though air bags are really nice.
2) Choose vehicles that are in line with the Alliance of Automobile Manufacturers, NHTSA guidelines and AUTO-ISAC, good luck with that.
3) Ignore it all and hope for the best. This gets radical with self driving cars, ransomware anyone?

Read more in:

Reuters: U.S. calls on automakers to make cyber security a priority
-http://www.reuters.com/article/us-autos-cyber-idUSKCN12O2JG

NHTSA: U.S. DOT issues Federal guidance to the automotive industry for improving motor vehicle cybersecurity
-http://www.nhtsa.gov/About-NHTSA/Press-Releases/nhtsa_cybersecurity_best_practic
es_10242016

---

INTERNET STORM CENTER TECH CORNER

ISC Briefing: Large DDoS Attack Against Dyn
-https://isc.sans.edu/forums/diary/ISC+Briefing+Large+DDoS+Attack+Against+Dyn/216
27/

TCP Port 4786: Cisco Memory Leak Vulnerability
-https://isc.sans.edu/forums/diary/Request+for+Packets+TCP+4786+CVE20166385/21625
/

Dirty Cow PoC Exploits Available
-https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs

Updates For iOS, MacOS, Safari
-https://support.apple.com/en-us/HT201222

LTE Intercept Vulnerability
-http://www.theregister.co.uk/2016/10/23/every_lte_call_text_can_be_intercepted_b
lacked_out_hacker_finds/

Rowhammer Exploit Demonstrated Against Android
-https://www.vusec.net/projects/drammer/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create