SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #87

November 01, 2016

TOP OF THE NEWS

UK NHS Trust Shuts Down Systems After Malware Infection
IoT Botnet: It's more than a Password Issue
DMCA Exemptions Updated

THE REST OF THE WEEK'S NEWS

Google: Chrome 56 will Not Trust Most WoSign and StartCom Certificates
Google Discloses Windows Zero Day
PREDATOR Tool Helps Identify Malicious Domains During Registration Process
Joomla Websites Attacked Through Patched Flaws
US Office of the Comptroller of the Currency Reports Missing Thumb Drive
AtomBombing Code Injection Technique Affects Windows
DoJ Releases CFAA Charges Policy Guidance
Rule 41 Amendment Expands the Reach of Search Warrants

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

************************* Sponsored By Splunk **************************

Did you know Splunk Enterprise Security is made up of distinct frameworks that can each be leveraged independently to meet specific security use cases? Join this webinar to learn the technical details behind key Splunk Enterprise Security frameworks. Splunk experts will also discuss real-world examples and demo these frameworks. http://www.sans.org/info/189527

**************************************************************************

TRAINING UPDATE

--Healthcare Cybersecurity Summit & Training | November 14-21, 2016 | Houston, TX |
https://www.sans.org/event/healthcare-cyber-security-summit-2016

--SANS London 2016 | November 12-21, 2016 | London, UK |
https://www.sans.org/event/london-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC |
https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands |
https://www.sans.org/event/amsterdam-2016

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA |
https://www.sans.org/event/security-east-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 |
https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV |
https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 |
https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA |
https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan |
https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore |
https://www.sans.org/event/secure-singapore-2017

***************************************************************************

---

TOP OF THE NEWS

UK NHS Trust Shuts Down Systems After Malware Infection (October 31, 2016)

The Northern Lincolnshire & Goole HHS Foundation trust has shut down nearly all of its IT systems after malware was found. The incident caused the trust to cancel "all planned operations, outpatient appointments and diagnostic procedures" for two days.

Read more in:

The Register: Appointments on hold as (computer) virus wreaks havoc with NHS trust systems
-http://www.theregister.co.uk/2016/10/31/virus_shuts_down_nhs_trust/

IoT Botnet: It's more than a Password Issue (October 28, 2016) ||||||

The issue of unsecure Internet of Things (IoT) devices like those used in the Mirai botnet distributed denial-of-service (DDoS) attacks, goes beyond poor password hygiene. There are problems with the way the devices are manufactured, and the ways in which they connect to the Internet. There are currently no incentives for manufacturers or consumers to spring for the cost of added security.


[Editor Comments ]



[Assante ]
Buyer preferences and price points will not support more secure designs for the home and small business consumer markets. The barriers to security go beyond a particular maker of IoT products and into the byzantine and disjoined world of integrating embedded systems. These systems are often driven by trade-offs and constraints in cost versus performance versus power consumption. Even after recognized short-falls in the ICS world, embedded security has not been elevated into a primary design driver position. Don't expect to see any natural changes as resourced constrained 'things' are deployed in insecure environments with no responsible person or entity to manage them.

Read more in:

Christian Science Monitor: Flaws in connected cameras, recorders broader than passwords
-http://www.csmonitor.com/World/Passcode/2016/1028/Flaws-in-connected-cameras-rec
orders-broader-than-bad-passwords

DMCA Exemptions Updated (October 28 & 31, 2016)

The US Copyright Office and the Librarian of Congress have published new exemptions to the Digital Millennium Copyright Act (DMCA). The updated rules allow exceptions related to security research and vehicle repair.


[Editor Comments ]



[Murray ]
So much of what goes on under the rubric of security "research" is simply ego-driven vulnerability discovery that this exemption could amount to a "get out of jail free" card. Rather than permitting research, this exemption will encourage more mischief. Activities claiming this exemption should be authorized and supervised, or at a minimum collegial.

Read more in:

Wired: It's Finally Legal to Hack Your Own Devices (Even Your Car)
-https://www.wired.com/2016/10/hacking-car-pacemaker-toaster-just-became-legal/

ZDNet: US DMCA rules updated to give security experts legal backing to research
-http://www.zdnet.com/article/us-dmca-rules-updated-to-give-security-experts-lega
l-backing-to-research/

CNET: Modders, rejoice: It's legal to tweak you car's software now
-https://www.cnet.com/roadshow/news/modders-rejoice-its-legal-to-tweak-your-cars-
software-now/

SC Magazine: DMCA changes allow researchers to access to copyrighted works
-http://www.scmagazine.com/dmca-changes-allow-researchers-to-access-to-copyrighte
d-works/article/569477/

Federal Register: Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control
-https://www.federalregister.gov/documents/2015/10/28/2015-27212/exemption-to-pro
hibition-on-circumvention-of-copyright-protection-systems-for-access-control

---

*************************** SPONSORED LINKS *****************************

1) Ready to Replace AV? Criteria to Evaluate NGAV Solutions. Register to learn more: http://www.sans.org/info/189532

2) Find out what you need to know about protecting physical assets in your OT environment. Register: http://www.sans.org/info/189537

3) Looking for a solution to your security issue? Visit the SANS Affiliate Directory for a list of vendors who may be able to help! http://www.sans.org/info/189542

****************************************************************************

---

THE REST OF THE WEEK'S NEWS

Google: Chrome 56 will Not Trust Most WoSign and StartCom Certificates (October 31, 2016)

When Google releases Chrome 56, which is currently expected to be available in January 2017, the browser will not trust certificates from WoSign and StartCom issued after midnight, October 21, 2016. Certificates issued before October 21 will be trusted if they are compliant with Google's Certificate Transparency in Chrome in policy, or if the domain using the certificate is on a whitelist of known customers for the CAs. In a related story, Google's Chrome Team announced that as of October 2017, publicly trusted website certificates must be compliant with the Chrome Certificate Transparency policy to be trusted.

Read more in:

ZDNet: Google joins Mozilla and Apple in Distrusting WoSign Certificates
-http://www.zdnet.com/article/google-joins-mozilla-and-apple-in-distrusting-wosig
n-certificates/

The Register: Obey Google, web-masters, or it will say you can't be trusted
-http://www.theregister.co.uk/2016/10/31/google_certificate_transparency/

Google Blog: Distrusting WoSign and StartCom Certificates
-https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html

Google: Announcement: Requiring Certificate Transparency in 2017
-https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/78N3SMcqUGw/ykIwH
XuqAQAJ

Google Discloses Windows Zero Day (October 31, 2016)

On October 21, Google reported critical zero-day flaws to Adobe and Microsoft. Adobe addressed the issue in Flash Player with an update on October 26. On October 31, Google disclosed the vulnerability in Windows because it was being actively exploited. Microsoft has not yet released a fix for the local privilege escalation flaw in the Windows kernel.


[Editor Comments ]



[Ullrich ]
in the last week, privilege escalation vulnerabilities were disclosed in most operating systems ("dirty cow" in linux, "task_t" in OS X and now this one in Windows). Privilege escalation vulnerabilities are almost impossible to fix as a lot of complex graphics and inter-process messaging code has to run at elevated privilege. Which is one more reason to "rebuild from scratch" if you find a compromised system.

Read more in:

Dark Reading: Google Warns of Windows Zero-Day Under Attack
-http://www.darkreading.com/vulnerabilities---threats/google-warns-of-windows-zer
o-day-under-attack/d/d-id/1327345

Ars Technica: Trick or Treat! Google issues warning of critical Windows vulnerability in wild
-http://arstechnica.com/security/2016/10/trick-or-treat-google-issues-warning-of-
critical-windows-vulnerability/

CNET: Microsoft not happy with Google disclosing major Windows bug
-https://www.cnet.com/news/microsoft-unhappy-with-google-disclosing-major-windows
-bug-security/

The Register: Google drops a zero-day on Microsoft: Web giant goes public with bug exploited by hackers
-http://www.theregister.co.uk/2016/10/31/google_drops_zero_day_on_tardy_microsoft
/

PREDATOR Tool Helps Identify Malicious Domains During Registration Process (October 28, 2016)

Researchers have developed a tool that can help determine when people are registering domains for malicious purposes. Researchers from Google, Princeton University, University of California Santa Barbara, University of California Berkeley, and the International Computer Science Institute presented findings last week at the ACM Conference on Computer and Communications Security. The Proactive Recognition and Elimination of Domain Abuse at Time-of-Registration (PREDATOR) tool aims to identify domains that are being registered with malicious intent by analyzing factors such as the number of domains registered, readability of domain names registered, and the times of day during which the domains are registered.


[Editor Comments ]



[Murray ]
Not only is this activity collegial, but it is about security rather than simple vulnerability discovery.

Read more in:

Dark Reading: And Now A PREDATOR To Fight DNS Domain Abuse
-http://www.darkreading.com/vulnerabilities---threats/and-now-a-predator-to-fight
-dns-domain-abuse/d/d-id/1327336?

The Register: Boffins predict web scams with domain registration data
-http://www.theregister.co.uk/2016/10/31/princetons_predator_gobbles_web_scammers
/

Joomla Websites Attacked Through Patched Flaws (October 31, 2016)

Joomla-based websites are being attacked though a pair of vulnerabilities that were patched in Joomla version 3.6.4, which was released last week. The critical flaws are being exploited to obtain elevated privileges on vulnerable websites. As of last Friday, nearly 28,000 sites had been targeted.

Read more in:

Computerworld: Joomla websites attacked en masse using recently patched exploits
-http://computerworld.com/article/3136932/security/joomla-websites-attacked-en-ma
sse-using-recently-patched-exploits.html

SC Magazine: Joomla flaws exploited to place backdoors, then patched by same attackers
-http://www.scmagazine.com/researchers-detail-recently-patched-joomla-flaws-explo
ited-in-the-wild/article/569512/

US Office of the Comptroller of the Currency Reports Missing Thumb Drive (October 29, 2016)

The US Department of the Treasury's Office of the Comptroller of the Currency has disclosed to Congress "a major security incident." A former employee downloaded a significant amount of data to two drives prior to retirement, and now cannot locate the drives. The data were taken a year ago, but the incident was detected in September 2016 during a review of downloads to removable media.

Read more in:

Computerworld: Lost thumb drives bedevil U.S. banking agency
-http://computerworld.com/article/3136746/security/lost-thumb-drives-bedevil-us-b
anking-agency.html

Treasury: OCC Notifies Congress of Incident Involving Unauthorized Removal of Information
-https://www.occ.treas.gov/news-issuances/news-releases/2016/nr-occ-2016-138.html
--AtomBombing
Code Injection Technique Affects Windows (October 28, 2016)

DoJ Releases CFAA Charges Policy Guidance (October 28, 2016)

The US Department of Justice has released a 2014 memorandum that provides guidance to prosecutors regarding a decision about whether to bring charges under the Computer Fraud and Abuse Act (CFAA). The CFAA was enacted in the 1980s, and legislators and civil liberties groups have been urging that it be updated. There are eight factors the guidance suggests be considered when deciding, including: sensitivity of the affected system or the data stored on it; national security implications; deterrent value of the investigation; and whether the data were obtained though "exceeding authorized access."

Read more in:

FCW: DOJ releases controversial cybercrime prosecution memo
-https://fcw.com/articles/2016/10/28/cfaa-enforcement-carberry.aspx

DoJ: Department Releases Intake and Charging Policy for Computer Crime Matters
-https://www.justice.gov/opa/blog/department-releases-intake-and-charging-policy-
computer-crime-matters

Rule 41 Amendment Expands the Reach of Search Warrants (October 27, 2016)

An amendment to Rule 41 of the Federal Rules of Criminal Procedure will allow law enforcement agents to search electronic devices across the country with just one warrant. The amendment goes into effect on December 1, 2016. Civil liberties groups and other opponents are concerned that the amendment will give law enforcement an over-broad reach. Some legislators have proposed preventing it from taking effect. The US Justice Department has cited the distributed denial-of-service (DDoS) attacks fueled by poorly secured Internet of Things (IoT) devices to support its position that the amendment is necessary.

Read more in:

Washington Post: Cyberattacks put new focus on search-warrant rule
-https://www.washingtonpost.com/business/technology/cyberattacks-put-new-focus-on
-search-warrant-rule-change/2016/10/27/496a23c8-9c8b-11e6-b552-b1f85e484086_stor
y.html

---

INTERNET STORM CENTER TECH CORNER

Volatility Bot: Automated Memory Analysis
-https://isc.sans.edu/forums/diary/Volatility+Bot+Automated+Memory+Analysis/21655
/

911 System Fragility Exposed in Accidental DoS Attacks
-https://staging.mcso.org/Multimedia/PressRelease/911%20Cyber%20Attack.pdf

Vulnerability in Mirai Botnet
-https://www.invincealabs.com/blog/2016/10/killing-mirai/

XNU Kernel (iOS/macOS) task_t Privilege Escalation
-https://googleprojectzero.blogspot.de/2016/10/taskt-considered-harmful.html

snapshot.ps1 DFIR Capture
-https://isc.sans.edu/forums/diary/SEC505+DFIR+capture+script+snapshotps1/21659/

Predicting Domain Reputation
-http://www.icir.org/vern/papers/predator-ccs16.pdf

Mozilla Removing Battery Status API For Privacy Reasons
-https://www.fxsitecompat.com/en-CA/docs/2016/battery-status-api-has-been-removed
/

Windows Privilege Escalation 0-day Actively Exploited
-https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.ht
ml

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create