Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #88

November 04, 2016

TOP OF THE NEWS

United Kingdom Launches Nationwide Cyber Academy - May Include Drone Hacking
NIST Draft Cybersecurity Workforce Framework

THE REST OF THE WEEK'S NEWS

Wix.com Flaw Could Be Exploited to Take Control of Websites
Ubuntu Core 16 Aims to Bring Security to IoT Devices
Mirai Botnet Targets IP Addresses in Liberia
Privacy Shield Data Transfer Agreement Faces Another Legal Challenge
NIST Draft eMail Security Guidance
Prison for Man Who Launched Attacks Against Computers at Companies and Universities
Titanium Stresser Booter Service Operator Pleads Guilty
TalkTalk Pays Fine in Breach Case
Internet Systems Consortium Patches BIND Assertion Failure Vulnerability
Microsoft's Monthly Update Will Include Fix for Flaw Google Disclosed

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


******************** Sponsored By Trend Micro Inc. **********************

The second in a 3-part series on research the Trend Micro Forward-Looking Threat Research team performed on pager communications used within various industries. This report focuses on critical infrastructure and how weaknesses in pager technology can be abused against organizations within this sector. http://www.sans.org/info/189567

***************************************************************************

TRAINING UPDATE

--Healthcare Cybersecurity Summit & Training | November 14-21, 2016 | Houston, TX | https://www.sans.org/event/healthcare-cyber-security-summit-2016

--SANS London 2016 | November 12-21, 2016 | London, UK | https://www.sans.org/event/london-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands | https://www.sans.org/event/amsterdam-2016

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017

***************************************************************************

TOP OF THE NEWS

United Kingdom Launches Nationwide Cyber Academy Initiative - May Include Drone Hacking (November 2, 2016)

The UK's GCHQ announced the Cyber-Retraining Academy, an innovative approach to the cyber skills pipeline problem involving nationwide search, talent testing, and intense training through a 10-week, hands-on boot-camp, that proved remarkably effective in a pilot program run in 2015. The program is part of the UK's National Cyber Security Strategy. No prior experience in cybersecurity is required; instead, the program is seeking people with "natural aptitude." The program will initially accept 50 students identified through a nationwide talent search and a unique talent test that measures both skills and key psychometric elements associated with success in advanced cyber jobs. Training starts in London on January 23.

[Editor Comments ]



[Assante ]
This type of effort is critical to grow and shape the workforce necessary to remain competitive and vibrant in today's world. Deeper dives into hands-on technical skills and imparting accurate mental models of how systems are attacked and can be defended are crucial for both positive technical outcomes and informed risk decision making.


[Honan ]
This is a great initiative that many other governments and indeed private companies should look to emulate.


[Paller ]
Nearly every major news source in the UK covered the drone-hacking dimension, but the UK's Cyber Academy bootcamp fully covers non-military, general purpose cybersecurity, as well.

Read more in:


-http://www.bbc.co.uk/news/technology-37848549
">
-http://www.bbc.co.uk/news/technology-37848549


V3: Government seeks cyber security heroes with retraining open to all
-http://www.v3.co.uk/v3-uk/news/2476118/government-seeks-cyber-security-heroes-wi
th-retraining-courses-open-to-all


SC Magazine UK: New cyber-academy formed to fast-track next generation of security experts
-http://www.scmagazineuk.com/new-cyber-academy-formed-to-fast-track-next-generati
on-of-security-experts/article/570144/



-http://www.bbc.co.uk/news/technology-37848549
">
-http://www.bbc.co.uk/news/technology-37848549



-http://www.mirror.co.uk/tech/government-funds-drone-hacking-bootcamp-9180335


-http://www.dailymail.co.uk/news/article-3896724/Could-Cyberwarrior-Government-st
aging-try-outs-50-anti-hackers-s-open-people-don-t-work-computers.html



-https://www.theguardian.com/technology/shortcuts/2016/nov/02/are-you-a-top-secre
t-cyber-security-genius-take-our-test



-http://www.thetimes.co.uk/edition/news/cyberforce-seeks-50-elite-brains-grwppcs2
d

NIST Draft Cybersecurity Workforce Framework (November 2 and 3, 2016)

The US National Institute of Standards and Technology (NIST) has published a draft cybersecurity workforce framework. The document aims to "allow our nation to more effectively identify, recruit, develop and maintain its cybersecurity talent." The framework offers a common language to provide consistency across agencies when discussing cybersecurity work. The framework also aims to be "a building block for the development of training standards, as well as for individual career planning." Comments will be accepted through January 6, 2017.

[Editor Comments ]



[Assante ]
The government can be like my son when he was three years old. It likes to amass a lot of building blocks and throw them out all over the bedroom floor. I hope they spend as much time building with them as my son did, otherwise the scattered blocks simply trip up stressed and tired people looking to solve problems in the hopes of finding peace.

Read more in:

Healthcare IT News: NIST unveils new cybersecurity workforce framework
-http://www.healthcareitnews.com/news/nist-unveils-new-cybersecurity-workforce-fr
amework


GCN: getting on the same page in cybersecurity talent hunt
-https://gcn.com/articles/2016/11/03/nist-cyber-talent-framework.aspx?admgarea=TC
_SecCybersSec


NIST: DRAFT NICE Cybersecurity Workforce Framework (NCWF): National Initiative for Cybersecurity Education
-http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-181


*************************** SPONSORED LINKS *****************************
1) In case you missed it: Hear from security pioneers who are upgrading to NGAV and want to share their experiences. Register: http://www.sans.org/info/189572

2) Learn about Industrial Internet security use cases that can move your critical infrastructure from vulnerable to secure. http://www.sans.org/info/189577

3) How does your organization classify systems as endpoints, prioritize & manage risks related to those endpoints, and define next-generation endpoint protections? http://www.sans.org/info/189582
***************************************************************************

THE REST OF THE WEEK'S NEWS

Wix.com Flaw Could Be Exploited to Take Control of Websites (November 3, 2016)

The Wix.com website-building platform has been found to contain a flaw that could be exploited in a cross-site scripting (XSS) attack to take control of administrator accounts. The document object model (DOM) XXS vulnerability can be exploited "by adding a single parameter to any site created on Wix." Wix.com has addressed the issue.

[Editor Comments ]



[Williams ]
The lesson here is that enterprises should have a static copy of their site ready to deploy in the case of a security issue like this. A static web page can be launched quickly on any VPS service to provide continuity during a security event.

Read more in:

ZDNet: Wix.com security flaw places millions of websites at risk
-http://www.zdnet.com/article/wix-com-security-flaw-places-millions-of-websites-a
t-risk/


The Register: Universal hijack hole turns DIY Wix blogs into botnets
-http://www.theregister.co.uk/2016/11/03/universal_hijack_hole_sees_wix_sht_brick
s/


Tech Week Europe: Zero-Day Security Hole In Wix Hosting Service Exposed Millions Of Websites
-http://www.techweekeurope.co.uk/security/wix-zero-day-security-millions-of-websi
tes-vulnerable-to-hacker-takeover-200036

Ubuntu Core 16 Aims to Bring Security to IoT Devices (November 3, 2016)

Canonical's Ubuntu Core 16 for IoT offers regular security updates for Internet connected devices. Ubuntu Core 16 incorporates Snaps, a feature that allows updates to reach devices easily. If another critical flaw, like Dirty COW or Bash, were to be detected, updates could be pushed out to devices running Ubuntu Core 16.

[Editor Comments ]



[Pescatore ]
IoT vendors need to do what most browser vendors have done - move to more secure code bases and continuously update. There is a higher diversity of IoT operating systems, however, and less commonality between the consumer side of the problem and the enterprise side. The "thing" industry is also very fragmented - this all means odds are low that industry will deal with the problem on its own. In some countries, ISPs may take action since compromised IoT devices will be sucking up their wireless bandwidth. Government agencies will be slow to move but such action will probably be required in the long run.

Read more in:

The Register: Ubuntu Core Snaps door shut on Linux's new Dirty COWs
-http://www.theregister.co.uk/2016/11/03/ubuntu_core_snaps_door_shut_on_new_dirty
_cows/


ZDNet: Ubuntu Core 16: Linux for a secure Internet of Things
-http://www.zdnet.com/article/ubuntu-core-16-linux-for-a-secure-internet-of-thing
s/

Mirai Botnet Targets IP Addresses in Liberia (November 3, 2016)

A botnet powered by Mirai malware has been disrupting businesses in Liberia. A similar attack against US DNS service provider Dyn several weeks ago caused some popular sites to be temporarily unavailable. The botnet used in the attack against Liberian addresses is capable of directing 500 Gbps of traffic at its targeted systems.

Read more in:

Computerworld: DDoS attack with Mirai malware 'killing business' in Liberia
-http://computerworld.com/article/3138489/security/ddos-attack-with-mirai-malware
-killing-business-in-liberia.html

Privacy Shield Data Transfer Agreement Faces Another Legal Challenge (November 3, 2016)

A French digital rights organization is challenging the legality of Privacy Shield, the revamped data transfer agreement that would allow data transfer between the EU and the US. Le Quadrature du Net filed a suit with the European Union's European Commission seeking annulment of the Commission's decision that Privacy Shield provides adequate privacy and security protection of EU citizens' data. In September, Digital Rights Ireland announced it would challenge the validity of the agreement. Privacy Shield took effect last summer; it replaced the Safe Harbor agreement that the European Court of Justice deemed insufficient in October 2015.

Read more in:

Computerworld: A second privacy Shield legal challenge increases threat to EU-US data flows
-http://computerworld.com/article/3138405/data-privacy/a-second-privacy-shield-le
gal-challenge-increases-threat-to-eu-us-data-flows.html


The Irish Times: Court challenge to Privacy Shield wide reverberations
-http://www.irishtimes.com/business/technology/court-challenge-to-privacy-shield-
will-have-wide-reverberations-1.2852231

NIST Draft eMail Security Guidance (November 2, 2016)

The US National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence (NCCoE) has released daft guidance on email security. The document describes several technologies that, if adopted, could increase the security of email communications. Comments will be accepted through December 19, 2016.

[Editor Comments ]



[Northcutt ]
I like the "building blocks" approach a lot. Anything that moves DNSSEC forward is positive. The guidance appears to be well thought out. I haven't tried to implement it, but that might make a great project for the next couple of SANS.EDU grad student projects. But, why must the NCCoE web site be so dependent on running scripts on the visiting browser. Repeat after me, static pages are not as cool as scripted pages, but they are certainly safer. If you are a Cybersecurity Center of Excellence, choose the safer choice.

Read more in:

The Register: Uncle Sam emits DMS email security guide - now speak your brains
-http://www.theregister.co.uk/2016/11/02/us_government_dns_email_security_guide/

NCCOE NIST: DNS-Based Secured Email
-https://nccoe.nist.gov/projects/building_blocks/secured_email

Prison for Man Who Launched Attacks Against Computers at Companies and Universities (November 2, 2016)

A US District Judge in Illinois has sentenced Timothy Justen French to nearly four years in prison for his role in a series of attacks against numerous websites, including the US Department of Homeland Security (DHS) and the World Health Organization. French shared stolen user account information online. He was arrested in 2014, and in a plea bargain, pleaded guilty last December to one count of intentionally damaging a protected computer without authorization for stealing information from a Canadian telecommunications company.

Read more in:

The Register: NullCrew's Canadian telco hacker thrown in the clink for four years
-http://www.theregister.co.uk/2016/11/02/nullcrew_hacker_gets_four_years_prison/

US Dept. of Justice: Member of Computer Hacking Group "NullCrew" Sentenced to Nearly Four Years for Launching Cyber-Attacks on Corporation and Universities
-https://www.justice.gov/usao-ndil/pr/member-computer-hacking-group-nullcrew-sent
enced-nearly-four-years-launching-cyber

Titanium Stresser Booter Service Operator Pleads Guilty (November 2, 2016)

A 19-year-old UK man has pleaded guilty to two offenses under the Computer Misuse Act and to money laundering for operating the Titanium Stresser booter service. According to prosecutors, Adam Mudd earned more than US $385,000 from the distributed denial-of-service (DDoS)-as-a-service. Titanium Stresser was used to launch nearly 600 DDoS attacks against 181 targets between December 2013 and March 2015.

Read more in:

The Register: Teen UK hacker pleads guilty after earning $385k from DDoS tool
-http://www.theregister.co.uk/2016/11/02/teen_uk_hacker_pleads_guilty_after_earni
ng_385k_from_ddos_tool/

TalkTalk Pays Fine in Breach Case (November 2, 2016)

UK telecommunications company TalkTalk has paid a fine of GBP 320,000 imposed by the Information Commissioner's Office (ICO) for a breach that compromised personal information of thousands of TalkTalk customers in October 2015. The original penalty of GBP 400,000 (TalkTalk took advantage of a 20 percent discount for paying by November 1) is the largest the ICO has imposed. One person has been charged in a case related to the attack.

[Editor Comments ]



[Pescatore ]
The TalkTalk breach was scoped to be about 157,000 customer private information records compromised. Realistically, that cost them in the range of $16M to deal with so a $400K fine shouldn't really be significant; but corporate history has shown that such fines are effective in changing corporate behavior. The negative publicity does influence CEOs and directors, but the fines are also a single line item, where breach costs get spread out across many different areas. For security folk, the best possible thing is for one of your direct competitors to get fined - make sure you communicate that upwards!

Read more in:

V3: TalkTalk hack: Firm settles ICO fine for GBP320,000
-http://www.v3.co.uk/v3-uk/news/2476172/talktalk-hack-firm-settles-ico-fine-for-g
bp320-000

Internet Systems Consortium Patches BIND Assertion Failure Vulnerability (November 2, 2016)

The Internet Systems Consortium has issued a fix for a flaw in BIND that could be exploited to cause assertion failure. The vulnerability is caused by a problem with the way BIND handles responses containing a DNAME answer. Users are urges to patch systems as soon as they can; there is no workaround available. The updates include BIND 9 versions 9.9.9-P4; 9.10.4-P4; 9.11.0-P1; and 9.9.9-S6.

[Editor Comments ]



[Williams ]
There are very few application that require or use DNAME records. MS 15-127 was a (very serious) flaw in Windows DNS services that exploited DNAME recursion. When evaluating software for security issues, pay special attention to less-used functionality - that's where many bugs remain undetected.

Read more in:

SC Magazine: BIND security update patches DoS flaw
-https://www.scmagazine.com/isc-releases-bind-patch-flaw-that-could-lead-to-asser
tion-failure/article/570335/


ISC: A problem with handling responses containing a DNAME answer can lead to an assertion failure
-https://kb.isc.org/article/AA-01434/0

Microsoft's Monthly Update Will Include Fix for Flaw Google Disclosed (November 1 and 2, 2016)

Microsoft's monthly security update, scheduled for Tuesday, November 8, will include a fix for a privilege elevation flaw in the Windows kernel recently disclosed by Google. The vulnerability is being actively exploited; Microsoft said the attackers are the same group that broke into computers belonging to the US Democratic National Committee (DNC). Microsoft made clear its disappointment with Google's decision to disclose the flaw just 10 days after initial notification.

Read more in:

CNET: Microsoft to fix Windows flaw exploited by hackers?
-https://www.cnet.com/news/microsoft-to-patch-windows-flaw-next-week-russian-hack
ers-spearphishing/


Computerworld: Microsoft to patch Windows bug that Google revealed
-http://computerworld.com/article/3137523/windows-pcs/microsoft-to-patch-windows-
bug-that-google-revealed.html


INTERNET STORM CENTER TECH CORNER

Malvertising On Google AdWords Targeting macOS Users
-http://blog.cylance.com/malvertising-on-google-adwords-targeting-macos-users

Microsoft Response to Google Privilege Escalation Disclosure
-https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-custom
ers-security/

Memcached Remote Code Execution Vulnerabilities
-http://blog.talosintel.com/2016/10/memcached-vulnerabilities.html

SAP Vulnerability Details Released
-https://erpscan.com/press-center/blog/0-day-sap-vulnerability-published-heres-ca
n/

Exchange Web Service Two-Factor Authentication Bypass
-http://www.blackhillsinfosec.com/?p=5396

Barracuda DoS Disrupts Mail Delivery
-http://status.barracuda.com

Targobank Looses Account Data After Maintenance
-http://www.spiegel.de/wirtschaft/service/targobank-kunden-fehlt-geld-auf-dem-kon
to-it-probleme-a-1119434.html

(german only)

Ouch! Security Awareness Newsletter
-http://securingthehuman.sans.org/newsletters/ouch/issues/OUCH-201611_en.pdf

Reconstruct Binaries Sent via Telnet
-https://isc.sans.edu/forums/diary/Extracting+Malware+Transmitted+Via+Telnet/2167
3/

Wix.com DOM Based XSS
-https://www.contrastsecurity.com/security-influencers/dom-xss-in-wix.com

DNS Based Mail Security
-https://nccoe.nist.gov/projects/building_blocks/secured_email

Web of Trust Plugin Released Anonymized User Data
-https://www.mywot.com/en/forum/70396--virus-spyware-do-not-install-uninstall-as-
soon-as-possible



***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board