SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #89

November 08, 2016

TOP OF THE NEWS

China Passes Cybersecurity Law
Britain Will Spend Billions on Cybersecurity
Tesco Bank Freezes Online Transactions After Money Stolen from Accounts
Healthcare Cybersecurity Concerns Go Beyond Personal Health Information

THE REST OF THE WEEK'S NEWS

Cerber Turns its Attention to Databases
Mozilla Disables Battery Status API in Firefox
Cyber Talent Fair Launches in the United States Next Week
Android's November Security Updates Don't Include Fix for Dirty COW
HTTPS Traffic on the Rise
Man Arrested for Alleged University eMail Hacks
Cyber Security Challenge UK 2016 Names Winner
Microsoft Extends EMET Support Through July 2018
Fourteen Arrested in UK for Alleged Roles in Dridex and Dyre Money-Laundering Scheme
Correction: United Kingdom Launches Nationwide Cyber Academy

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored By Sophos Inc. ************************ How many hours do you spend managing IT Security, jumping from console to console, and product to product? How much time do you spend making sure those different tools play well together? There must be a better way to handle IT security, right? Synchronized security to the rescue! Learn More: http://www.sans.org/info/189587

***************************************************************************

TRAINING UPDATE

--Healthcare Cybersecurity Summit & Training | November 14-21, 2016 | Houston, TX | https://www.sans.org/event/healthcare-cyber-security-summit-2016

--SANS London 2016 | November 12-21, 2016 | London, UK | https://www.sans.org/event/london-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands | https://www.sans.org/event/amsterdam-2016

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017

***************************************************************************

---

TOP OF THE NEWS

China Passes Cybersecurity Law (November 7, 2016)

China's top legislature has passed a cybersecurity law that will likely make it difficult for foreign technology companies to do business in that country. The 2016 Cybersecurity Law, which will take effect in June 2017, requires that critical infrastructure organizations may only purchase equipment that has been tested and certified by the government. Human Rights Watch has described the law as a "regressive measure that strengthens censorship, surveillance, and other controls over the Internet."


[Editor Comments ]



[Pescatore ]
Many parts of the Chinese law go against the norms of the rest of the world, but requiring security testing of critical infrastructure telecom and computing products is a very good thing. Back in 2005, Chinese company Huawei won British Telecom's procurement competition for upgrading the UK national network. Part of the agreement was that the UK would have to have full visibility into all software and Huawei would fund what since 2010 has been called the Huawei Cyber Security Evaluation Centre (HCSEC) where the UK would test all software before allowing it to be installed. While that approach isn't scalable, the largely ignored Common Criteria for Information Technology Security Evaluation international effort and the US National Infrastructure Assurance Testing Partnership programs could be providing similar value. Another good example: the US Govt. requires all cloud services used by federal government agencies be tested and certified under the FedRAMP program. Not to mention that the government requiring FIPS 140 testing of any crypto to be used by government agencies has been widely successful since the late 1990s.

Read more in:

Computerworld: China passes controversial cybersecurity law
-http://computerworld.com/article/3138951/security/china-passes-controversial-cyb
ersecurity-law.html

Reuters: China adopts cyber security law in face of overseas opposition
-http://www.reuters.com/article/us-china-parliament-cyber-idUSKBN132049

Bloomberg: China Adopts Cybersecurity Law Despite Foreign Opposition
-https://www.bloomberg.com/news/articles/2016-11-07/china-passes-cybersecurity-la
w-despite-strong-foreign-opposition

The Register: China passes new Cybersecurity Law - you have even months to comply if you wanna do biz in Middle Kingdom
-http://www.theregister.co.uk/2016/11/07/china_passes_new_cybersecurity_laws/

Britain Will Spend Billions on Cybersecurity (November 4, 2016)

The UK plans to spend GPB 2.3 billion (US $2.85 billion) on cybersecurity in light of the increasing espionage threat from Russia. The spending includes recruiting 1,000 new intelligence officers. British Chancellor of the Exchequer Philip Hammond warned "hostile foreign actors" could target critical infrastructure like air traffic control systems and power grids and said, "We will not only defend ourselves in cyberspace, we will strike back in kind when we are attacked." The UK Cyber Academy described in the last article is one element of the new program.

Read more in:

VOA News: Britain Invests Billions in Cybersecurity in Face of Russian Threat
-http://www.voanews.com/a/britain-spends-billions-on-cybersecurity-russian-threat
/3580433.html

Tesco Bank Freezes Online Transactions After Money Stolen from Accounts (November 7, 2016)

Tesco Bank has temporarily suspended online transactions for current accounts after discovering that attackers stole funds from 20,000 accounts. A total of 40,000 accounts experienced "suspicious transactions."


[Editor Comments ]



[Ullrich ]
About 30% of accounts were affected by the malicious transaction (40,000 out of 136,000, not 20,000 as reported in some news reports). This indicates a problem within the bank's systems instead of the usual crimeware or weak passwords which usually affected individuals.

Read more in:

CNET: UK bank freezes online transactions after theft
-https://www.cnet.com/news/uk-tesco-bank-freezes-online-transactions-after-theft-
hack/

BBC: Tesco bank attack: What do we know?
-http://www.bbc.com/news/technology-37896273

The Register: Tesco Bank limits online transactions after fraud hits thousands
-http://www.theregister.co.uk/2016/11/07/tesco_bank_breach/

V3: Tesco Bank breach sees money stolen from 20,000 accounts
-http://www.v3.co.uk/v3-uk/news/2476532/tesco-bank-breach-sees-money-stolen-from-
20-000-accounts

Tesco Bank: Message for Current Account customers
-https://yourcommunity.tescobank.com/t5/News/Message-for-Current-Account-customer
s/td-p/6599

Healthcare Cybersecurity Concerns Go Beyond Personal Health Information (November 7, 2016)

Joel Brenner, former NSA senior counsel and current MIT research fellow, says that although health care organizations focus on securing personal health information (PHI), there are other cybersecurity risks that could threaten a hospital's ability to care of patients. Attackers could potentially take down a hospital's IT systems, or make it "go dark". They could also infiltrate the systems and alter critical treatment information, which would quickly erode trust in health care systems. Brenner says that the core of the cybersecurity issues is the fact that "we took a fundamentally insecure network designed to help a small group of trusted scientists collaborate with one another and turned it into the backbone of our economy without thinking through the consequences of generalizing all of the network's vulnerabilities." Brenner says that "this is fundamentally a governance problem, and suggests healthcare organizations look to the SANS Institute's CIS Critical Security Controls for guidance.


[Editor Comments ]


(Northcutt) I hate it when they shut down my insulin pump whether because they target me individually, or they shut down the whole health care facility. And there was a paper released this week about a new rootkit targeting the Internet of Things, (IoT), or more specifically Programmable Logic Controllers, (PLC), that makes it clear that progress is being made at being able to shut down, or manipulate a health care facility. However, if you carefully examine the Rand report on cyber breaches, healthcare, so far, is one of the least targeted/exploited industry segments.


-http://www.bleepingcomputer.com/news/security/researchers-create-undetectable-ro
otkit-that-targets-industrial-equipment/


-http://cybersecurity.oxfordjournals.org/content/early/2016/08/08/cybsec.tyw001

Read more in:

Healthcare IT News: What's the fundamental problem with cybersecurity? Relying on the Internet
-http://www.healthcareitnews.com/news/whats-fundamental-problem-cybersecurity-rel
ying-internet

---

**************************** SPONSORED LINKS ******************************

1) In case you missed this Webcast: Ready to Replace AV? Criteria to Evaluate NGAV Solutions. http://www.sans.org/info/189592

2) Learn about Industrial Internet security use cases that can move your critical infrastructure from vulnerable to secure. http://www.sans.org/info/189597

3) How does your organization classify systems as endpoints, prioritize & manage risks related to those endpoints, and define next-generation endpoint protections? http://www.sans.org/info/189602

******************************************************************************

---

THE REST OF THE WEEK'S NEWS

Cerber Turns its Attention to Databases (November 7, 2016)

Cerber ransomware, which has been used primarily to infect computers belonging to individuals, now has a module that allows it to encrypt databases, which means it can have a greater impact on businesses.

Read more in:

The Register: Cerber ransomware menace now targeting databases
-http://www.theregister.co.uk/2016/11/07/cerber_ransomware_menace_up_ante_now_tar
geting_businesses/

Mozilla Disables Battery Status API in Firefox (November 2 & 7, 2016)

Mozilla is no longer supporting an API that was designed to help conserve devices' batteries because it could be used to snoop on users Internet activity. When Mozilla releases Firefox 52 next year, websites will no longer be able to access the Battery Status API. The feature let websites detect how much power a device's battery has left and serve a less intensive version of the site if the battery appears to be running low. Researchers found that trackers were also using the API to fingerprint users' devices.


[Editor Comments ]



[Williams ]
Advertisers and attackers will find creative ways to abuse features in any application to compromise user's data and privacy. Threat modeling and red teaming can help identify risks your developers would have otherwise missed.

Read more in:

The Register: Apple, Mozilla kill API to deplete W3C battery-snitching standard
-http://www.theregister.co.uk/2016/11/07/apple_mozilla_kill_api_to_batter_battery
_snitching/

TechWeekEurope: Mozilla Disables Battery Tracking API To Tighten Firefox Privacy
-http://www.techweekeurope.co.uk/workspace/browser/mozilla-battery-tracking-api-1
99929

Cyber Talent Fair Launches in the United States Next Week (November 8, 2016)

The 2016 CyberTalent Fair, on Thursday, November 17, is a virtual career fair in which employers engage cybersecurity jobseekers via live chat to fill their vacancies. The registrant breakdown of the last event included 67% with certification(s), 80% with Bachelor's Degree or higher, 52% with 4+ years of experience, and 37% with a Security Clearance. Employers speak highly of the program: "A great platform for us to engage with skilled cybersecurity professionals and job candidates" (CISO, CBS), "Provided us with unique access to a highly desirable candidate poo; the candidates rate very high in knowledge, skills and experience." (Dir, Human Resources NTT Security).

More info: email tkeller@sans.org

Read more in: SANS CyberTalent Fair
-https://www.sans.org/cybertalent/fair

Android's November Security Updates Don't Include Fix for Dirty COW (November 7, 2016)

Google has released its monthly set of updates for Android, and it does not include a fix for the Linux kernel flaw known as Dirty COW. The privilege escalation vulnerability has been present in the Linux kernel since 2007. The flaw is being actively exploited.

Read more in:

Ars Technica: Fix for critical Android rooting bug is a no-show in November patch release
-http://arstechnica.com/security/2016/11/fix-for-critical-android-rooting-bug-is-
a-no-show-in-november-patch-release/

HTTPS Traffic on the Rise (November 4 & 7, 2016)

Google's most recent transparency report includes information about HTTPS traffic. Google says that two-thirds of web pages served over Chrome are HTTPS pages. Chrome users are spending more time on HTTPS pages than on pages that don't use TLS to encrypt communications between the site and the user, a trend Google hopes to see continue to grow.


[Editor Comments ]



[Ullrich ]
Dealing with encrypted traffic can be a challenge for defenders. If TLS is implemented right, then many traditional "man-in-the-middle" type inspection techniques will no longer work. Network traffic analysis has to learn to use what little information can be extracted from client hello messages and certificates prior to the encrypted channel being set up. We do have a webcast this Wednesday discussing some of these techniques.
-https://www.sans.org/webcasts/8-ways-watch-invisible-analyzing-encrypted-network
-traffic-103277


[Pescatore ]
And the measurable benefit of the increased SSL usage has been what? Default encryption of network traffic is generally a good thing but I feel like it tends to divert attention and resources towards making progress in routinely and persistently encrypting data. It is sort of like people on diets feeling good because they switched to low fat muffins, which often have more calories than the full fat versions. SSL certainly impedes bulk collection by government agencies, but it does little against the actual threats that are leading to actual data breaches and business disruption.


[Honan ]
Interestingly enough we are seeing this during our security assessments of clients' wifi networks. The amount of encrypted traffic is noticeably increasing over time and a great example of how security can be designed into a system without disrupting the user experience too much. We need to look at more ways we can make strong security transparent to the ordinary users.

Read more in:

SC Magazine: HTTPS traffic increasing, says Google
-https://www.scmagazine.com/https-traffic-increasing-says-google-report/article/5
70968/

The Register: User danger declines as two thirds of Chromistas now use HTTPS
-http://www.theregister.co.uk/2016/11/07/google_celebrates_ssl_boom_as_popular_si
tes_ditch_http_cleartext/

Google: Google Transparency Report: HTTPS Usage
-https://www.google.com/transparencyreport/https/metrics/?hl=en

Man Arrested for Alleged University eMail Hacks (November 2 & 7, 2016)

Authorities have arrested an Arizona man in connection with a series of email break ins at US universities and attempted similar break ins at other colleges. Jonathan Powell allegedly reset passwords for more than 1,000 of the accounts. He also allegedly compromised social media accounts linked to those email accounts.

Read more in:

Reuters: Arizona man arrested for hacking email accounts at universities
-http://www.reuters.com/article/us-usa-cyber-universities-idUSKBN12X2MG

The Register: Password reset warrior arrested for popping 1050 student accounts
-http://www.theregister.co.uk/2016/11/07/password_reset_warrior_arrested_for_popp
ing_1050_ny_uni_accounts/

Cyber Security Challenge UK 2016 Names Winner (November 4, 5 & 7, 2016)

The Cyber Security Challenge UK 2016 has named Ben Jackson as this year's champion. Jackson, who is 18, is the youngest person to win in the challenge's six-year history. The initial pool of participants was winnowed down to just 42 through qualifying rounds over the course of the year. Those finalists competed in a three-day event, investigating a simulated cyberattack against a fictional power company and protecting it from attackers.

Read more in:

Cyber Security Challenge: 18-year-old student becomes youngest ever US Cyber Security Champion
-https://cybersecuritychallenge.org.uk/news-events/18-year-old-student-becomes-yo
ungest-ever-uk-cyber-security-champion


SC Magazine UK: Cyber Security Challenge UK crowns youngest ever champion
-http://www.scmagazineuk.com/cyber-security-challenge-uk-crowns-youngest-ever-cha
mpion/article/571063/

Government Computing: 18-year-old named youngest ever UK cyber security champion
-http://central-government.governmentcomputing.com/news/18-year-old-named-younges
t-ever-uk-cyber-security-champion-5660934

Microsoft Extends EMET Support Through July 2018 (November 4 & 5, 2016)

Microsoft originally planed to end support for its Enhanced Mitigation Experience Toolkit (EMET) on January 27, 2017, but has decided to extend support through July 31, 2018. Microsoft said it made the decision based on customer feedback. EMET was first introduced in 2009.


[Editor Comments ]



[Williams ]
So EMET isn't dead, yet. While I always recommend organizations run EMET, if Microsoft holds to this date, EMET will lose support 18 months before Windows 7. I'm not sure if this is intentional, but if your organization will be rolling off of Windows 7 at the last minute, you are unlikely to have up-to-date EMET support. January 2020 seems like a long way away for Windows 7 End-Of-Life, but it will be here sooner than you think.

Read more in:

Dark Reading: Microsoft Extends Support For Doomed EMET To July 2018
-http://www.darkreading.com/application-security/microsoft-extends-support-for-do
omed-emet-to-july-2018/d/d-id/1327417?

The Register: Microsoft extends support for EMET security tool
-http://www.theregister.co.uk/2016/11/04/happy_hack_hardening_emet_helmet_to_guar
d_users_past_win_8_death/

ZDNet: Microsoft delays Enhanced Mitigation Experience Toolkit support cut-off to July 2018
-http://www.zdnet.com/article/microsoft-delays-enhanced-mitigation-experience-too
lkit-support-cut-off-to-july-2018/

Fourteen Arrested in UK for Alleged Roles in Dridex and Dyre Money-Laundering Scheme (November 4, 2016)

Authorities in the UK have arrested 14 people in connection with a money-laundering scheme involving proceeds from Dridex and Dyre malware. The individuals arrested are believed to be involved in setting up bank accounts into which the stolen money could be deposited. Authorities from Romania and Moldova were also involved in the arrests.

Read more in:

The Register: Brit cops cuff 14 in GBP 11m in money-laundering malware ring sting
-http://www.theregister.co.uk/2016/11/04/nca_arrests_14_dridex_malware_money_laun
dering/

V3: UK arrests 14 for (GBP)11m malware money laundering racket
-http://www.v3.co.uk/v3-uk/news/2476416/uk-arrests-14-for-gbp11m-malware-money-la
undering-racket

Correction: United Kingdom Launches Nationwide Cyber Academy

In the last issue of Newsbites, the sponsor of the UK Talent Test and Cyber Academy was incorrectly listed as GCHQ (the UK NSA equivalent). The Cyber-Retraining Academy is actually sponsored by the UK Department for Culture, Media and Sport, and is an innovative approach to the cyber skills pipeline problem involving nationwide search, talent testing, and intense training through a 10-week, hands-on boot-camp, that proved remarkably effective in a pilot program run in 2015. The program is part of the UK's National Cyber Security Strategy. No prior experience in cybersecurity is required; instead, the program is seeking people with "natural aptitude." The program will initially accept 50 students identified through a nationwide talent search and a unique talent test that measures both skills and key psychometric elements associated with success in advanced cyber jobs. Training starts in London on January 23.

Read more in:

V3: Government seeks cyber security heroes with retraining open to all
-http://www.v3.co.uk/v3-uk/news/2476118/government-seeks-cyber-security-heroes-wi
th-retraining-courses-open-to-all

SC Magazine UK: New cyber-academy formed to fast-track next generation of security experts


-http://www.scmagazineuk.com/new-cyber-academy-formed-to-fast-track-next-generati
on-of-security-experts/article/570144/


-http://www.mirror.co.uk/tech/government-funds-drone-hacking-bootcamp-9180335


-http://www.bbc.co.uk/news/technology-37848549


-http://www.dailymail.co.uk/news/article-3896724/Could-Cyberwarrior-Government-st
aging-try-outs-50-anti-hackers-s-open-people-don-t-work-computers.html


-https://www.theguardian.com/technology/shortcuts/2016/nov/02/are-you-a-top-secre
t-cyber-security-genius-take-our-test


-http://www.thetimes.co.uk/edition/news/cyberforce-seeks-50-elite-brains-grwppcs2
d

---

INTERNET STORM CENTER TECH CORNER

Hancitor Maldoc Bypasses Application Whitelisting
-https://isc.sans.edu/forums/diary/Hancitor+Maldoc+Bypasses+Application+Whitelist
ing/21683/

Microsoft Extends EMET Support Deadline
-https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/

Wifi Based IMSI Catcher
-https://www.blackhat.com/docs/eu-16/materials/eu-16-OHanlon-WiFi-IMSI-Catcher.pd
f

Tesco Bank Limits Online Banking After Online Criminal Activity
-https://yourcommunity.tescobank.com/t5/News/Message-for-Current-Account-customer
s/td-p/6599

Belkin WeMo Devices Used to Attack Mobile Devices
-https://www.blackhat.com/eu-16/briefings/schedule/index.html#breaking-bhad-abusi
ng-belkin-home-automation-devices-4640

Fake Retail Apps Flooding Apple App Store
-http://www.nytimes.com/2016/11/07/technology/more-iphone-fake-retail-apps-before
-holidays.html?_r=0

Netflix Password Recovery via Phone Call Vulnerability
-https://slashcrypto.org/2016/11/07/Netflix/

---

***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board