SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #90
November 11, 2016
TOP OF THE NEWS
Cyber Attacks Pummel Russian BanksCyber Crisis Advice for the Incoming US President
Finland Apartment Management System DDoS Attack Leaves Residents Without Hot Water
Google Cracking Down on Websites' End-Runs Around Security
THE REST OF THE WEEK'S NEWS
Tesco Bank Refunds Money Stolen from Customers' AccountsYahoo Insiders Knew of Attack in 2014
Microsoft Patch Tuesday
16-Year Sentence for Payment Card Fraud
Indiana County Government Will Pay to Remove Ransomware
Adobe Updates Flash Player and Adobe Connect
Android Updates Fix 83 Vulnerabilities
NIST Pushes Up Publication Date for Systems Security Engineering Guidance
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER************************* Sponsored By Splunk ***************************
Did you know Splunk Enterprise Security is made up of distinct frameworks that can each be leveraged independently to meet specific security use cases?
Join this webinar to learn the technical details behind key Splunk Enterprise Security frameworks. Splunk experts will also discuss real-world examples and demo these frameworks.
http://www.sans.org/info/189747
***************************************************************************
TRAINING UPDATE
--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016
--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands | https://www.sans.org/event/amsterdam-2016
--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017
--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017
--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017
--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017
--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017
--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017
--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017
***************************************************************************
TOP OF THE NEWS
Cyber Attacks Pummel Russian Banks (November 10, 2016)
Russia's banking regulator says that five banks in that country have been targeted by distributed denial-of-service (DDoS) attacks. The attacks have been described as the largest even seen against Russian banks. The intermittent attacks began on November 8. Those behind the attacks are believed to have harnessed the power of vulnerable IoT devices.Read more in:
BBC: Russian banks hit by cyber-attacks
-http://www.bbc.com/news/technology-37941216
Cyber Crisis Advice for the Incoming US President (November 7, 2016)
The next president of the United States will undoubtedly face a cyber crisis. Government agencies have had trouble defending their systems against breaches and nation-state adversaries steal information. Experts and former federal officials have identified five priorities can help guide the president in this arena: Building a real cyber strategy; creating playbooks; building cyber norms; choosing priorities; and shifting focus to the private sector.Read more in:
Nextgov: The next president Will Face a Cyber Crisis. Here's How to Handle it
-http://www.nextgov.com/security/2016/11/next-president-will-face-cyber-crisis-he
res-how-handle-it/132953/?oref=ng-HPtopstory&&&utm_term=Editorial%20
-%20Early%20Bird%20Brief
Finland Apartment Management System DDoS Attack Leaves Residents Without Hot Water (November 7 & 9, 2016)
The building management systems for two apartment buildings in Lappeenranta were targeted in a distributed denial-of-service (DDoS) attack that left residents with no central heating or hot water for more than a week.[Editor Comments ]
[Honan ]
This brings a whole new definition to a cyber cold war.
Read more in:
The Register: Finns chilling as DDoS knocks out building control system
-http://www.theregister.co.uk/2016/11/09/finns_chilling_as_ddos_knocks_out_buildi
ng_control_system/
Forbes: Hackers Use DDoS Attacks To Cut Heat To Apartments
-http://www.forbes.com/sites/leemathews/2016/11/07/ddos-attack-leaves-finnish-apa
rtments-without-heat/#1eb6e6df7472
Metropolitan.fi: DDoS attack halts heating in Finland amidst winter
-http://metropolitan.fi/entry/ddos-attack-halts-heating-in-finland-amidst-winter
Google Cracking Down on Websites' End-Runs Around Security (November 9, 2016)
Google is paying attention when websites take the easy way out of complying with its Safe Browsing terms. If a site is deemed unsecure, users will see warnings in most browsers. Webmasters can ask to have the warnings removed once they have brought their sites into compliance. Google was finding that some sites make changes to get the warnings removed, but quickly revert to unsecure practices. Google's Safe Browsing rules now include a "repeat offender" category. "Repeat Offenders are websites that repeatedly switch between compliant and policy-violating behavior for the purpose of having a successful review and having warnings removed." Webmasters of sites identified as repeat offenders must now wait 30 days before requesting a review.[Editor Comments ]
[Pescatore ]
Google is illustrating the superiority of the continuous monitoring approach to security of the one-off audit approach. Google is also leading the way in making customer safety a competitive advantage - very important in their advertising business that depends on customer data but increasingly a factor in all business.
Read more in:
Computerworld: Google punished web backsliders in Chrome
-http://computerworld.com/article/3140227/web-browsers/google-punishes-web-backsl
iders-in-chrome.html
*************************** SPONSORED LINKS *****************************
1) Don't Miss: "The Art of Risk Mitigation Through Holistic Security Analytics" Learn More: http://www.sans.org/info/189752
2) ) How does your organization classify systems as endpoints, prioritize & manage risks related to those endpoints, and define next-generation endpoint protections? http://www.sans.org/info/189757
3) DFIR Curriculum Lead Rob Lee discusses Enterprise-Wide Cyber Incident Response at the InfoSecurity Magazine Conference Boston, Dec 7. Use discount code: SANSINFOSEC201619 to get 40% off conference registration. http://www.sans.org/info/189762
******************************************************************************
THE REST OF THE WEEK'S NEWS
Tesco Bank Refunds Money Stolen from Customers' Accounts (November 9 & 10, 2016)
Tesco bank has reimbursed 9,000 customers a total of GBP 2.5 million (US $3.11 million) that was stolen during a cyber attack last weekend. Tesco has also lifted the temporary freeze it imposed on online transactions after learning of the attack. The UK's National Cyber Security Centre and the National Crime Agency are investigating the attack.Read more in:
BBC: Tesco Bank says attack cost it GBP 2.5m and hit 9,000 people
-http://www.bbc.com/news/business-37915755
V3: Tesco Bank refunds GBP 2.5m to 9,000 customers in wake of major cyber attack
-http://www.v3.co.uk/v3-uk/news/2476797/tesco-bank-refunds-gbp25m-to-9-000-custom
ers-in-wake-of-major-cyber-attack
SC Magazine UK: Tesco Bank resumes service, lost GBP 2.5m, 9000 customers affected
-http://www.scmagazineuk.com/tesco-bank-resumes-service-lost-25-million-9000-cust
omers-affected/article/571731/
The Register: What went wrong at Tesco bank?
-http://www.theregister.co.uk/2016/11/10/tesco_bank_breach_analysis/
Yahoo Insiders Knew of Attack in 2014 (November 9 & 10, 2016)
In a recent Securities and Exchange Commission filing Yahoo wrote, "An independent Committee of the Board ... is investigating ... the scope of knowledge within the Company in 2014 and thereafter regarding" the 2014 breach in which large amounts of customer data were stolen. Yahoo initially said that it did not discover the breach until an August 2016 investigation into a separate incident. In the filing, Yahoo admits that the information may cause Verizon to reconsider its takeover bid.[Editor Comments ]
[Honan ]
Security incidents are no longer purely technical issues. Rather they are increasingly business-impacting events which need to be managed by all elements of the business, not just IT security. Review your incident response processes and ensure that the right people in the business are notified of security breach in a timely manner and are appropriately engaged in incident response.
Read more in:
CNET: Yahoo admits some employees knew of massive hack in 2014
-https://www.cnet.com/news/yahoo-admits-some-employees-knew-of-massive-hack-in-20
14/
Computerworld: Yahoo investigating if insiders knew of hack
-http://computerworld.com/article/3140231/security/yahoo-investigating-if-insider
s-knew-of-hack.html
BBC: Yahoo knew of 'state-backed' hack in 2014
-http://www.bbc.com/news/technology-37936219
SEC: Yahoo Filing -- United States Securities and Exchange Commission Form 10-Q
-https://www.sec.gov/Archives/edgar/data/1011006/000119312516764376/d244526d10q.h
tm
Microsoft Patch Tuesday (November 9, 2016)
On Tuesday, November 8, Microsoft released 14 security bulletins addressing 68 vulnerabilities in Windows, Office, Edge, Internet Explorer, and SQL Server. Two of the fixes are for vulnerabilities that are being actively exploited, and three are for vulnerabilities that were publicly disclosed before the fixes were released. One of the flaws fixes in this month's release is the Windows Kernel-Mode Drive issue that Google disclosed 10 days after notifying Microsoft about the problem.[Editor Comments ]
[Ullrich ]
After Microsoft released its patches, proof of concept exploits were released for two vulnerabilities. As usual, patches need to be applied expeditiously. At this point, no problems have been reported for this latest set of updates.
Read more in:
Internet Storm Center:
-https://isc.sans.edu/forums/diary/November+2016+Microsoft+Patch+Day/21689/
KrebsOnSecurity: Patch Tuesday, 2016 U.S. Election Edition
-https://krebsonsecurity.com/2016/11/patch-tuesday-2016-u-s-election-edition/
Computerworld: Microsoft patches 68 vulnerabilities, two actively exploited ones
-http://computerworld.com/article/3139969/security/microsoft-patches-68-vulnerabi
lities-two-actively-exploited-ones.html
V3: Microsoft fixes Windows security flaw made public by Google
-http://www.v3.co.uk/v3-uk/news/2476835/microsoft-fixes-windows-security-flaw-mad
e-public-by-google
Technet: Microsoft Security Bulletin Summary for November 2016
-https://technet.microsoft.com/en-us/library/security/MS16-NOV
16-Year Sentence for Payment Card Fraud (November 8, 2016)
A U.S. District Judge has sentenced Michel Lermos-Hernandez to 199 months in prison for his role in a scheme involving keyloggers installed on payment card reading devices to steal information and then manufacturing fraudulent copies of the cards and using them to buy expensive merchandise. Lermos-Hernandez was also ordered to pay more than US $700,000 in restitution. He was found guilty of conspiracy to commit bank fraud and aggravated identity theft. Three other people connected with the scheme have already been sentenced to prison.Read more in:
US Dept. of Justice: Ringleader of Tampa Credit Card Fraud And Identity Theft Ring Sentenced to More than 16 Years In Prison
-https://www.justice.gov/usao-mdfl/pr/ringleader-tampa-credit-card-fraud-and-iden
tity-theft-ring-sentenced-more-16-years
Indiana County Government Will Pay to Remove Ransomware (November 8, 9, & 10, 2016)
After ransomware hit the IT systems of Madison County, Indiana government, the county commissioners voted unanimously to pay the ransom. The attack shut down county services for days. The county's insurance company, Travelers, is covering the cost of the ransom, less a deductible. In a separate story (SC Magazine), the Lansing (Michigan) Board of Water & Light acknowledged that it paid $25,000 to regain control of its accounting and email systems earlier this year.[Editor Comments ]
[Pescatore ]
The Madison County IT director said that, as part of the effort to restore after paying the extortion. "We're in the process of adding a backup system." That means the insurance is paying off for an incident that was due to the complete lack of basic hygiene. However, the full cost of the multi-day outage of services and full cost of recovery the county will pay (even subtracting the insurance payoff) will still exceed the cost of having had backup processes and technology in place to avoid the impact. Not long ago a small police department in Barnstable MA demonstrated just that.
[Williams ]
Targeted ransomware attacks are on the rise. Organizations with weak cyber security standards should expect to be hit by attackers holding their systems hostage. We are moving from drive-by ransomware to targeted attacks. Even if you don't deal with regulated data, ransomware is making cyber security a "pay now or pay later" cost.
Read more in:
Ars Technica: Indiana county government shut down by ransomware to pay up
-http://arstechnica.com/security/2016/11/indiana-county-government-shut-down-by-r
ansomware-to-pay-up/
Network World: Ransomware hammers Madison County, Indiana
-http://www.networkworld.com/article/3139975/security/ransomware-hammers-madison-
county-indiana.html
SC Magazine: Lansing, Michigan utility admits paying ransomware demand
-https://www.scmagazine.com/lansing-michigan-utility-admits-paying-ransomware-dem
and/article/572180/
Adobe Updates Flash Player and Adobe Connect (November 8, 2016)
Adobe has released security updates to address vulnerabilities in Flash Player and Adobe Connect. The Adobe update fixes nine critical flaws. Users are urged to upgrade to Flash Player v. 23.0.0.207 for Windows and Mac and to Flash Player v.11.2.202.644 for Linux. The update for Adobe Connect, v. 9.5.7, fixes an input validation vulnerability in the events registration module.[Editor Comments ]
[Murray ]
Is there still any enterprise that has not realized that the cost of patching Flash exceeds any possible. While updating may be the right course for the individual, eliminating Flash is the most efficient enterprise solution.
Read more in:
Computerworld: Adobe fixes flaws in Flash Player and Adobe Connect
-http://www.computerworld.com/article/3139867/security/adobe-fixes-flaws-in-flash
-player-and-adobe-connect.html
Android Updates Fix 83 Vulnerabilities (November 8 & 9, 2016)
On Monday, November 7, Google released the monthly security update for Android. The update addresses 83 security issues, but does not fix a recently disclosed copy-on-write vulnerability, nicknamed Dirty COW in the complete or partial patch level. Google does address Dirty COW in the supplemental security patch level.Read more in:
ZDNet: Google won't spike Linux Dirty Cow exploit until December Android patch
-http://www.zdnet.com/article/google-wont-spike-linux-dirty-cow-exploit-until-dec
ember-android-patch/
eWeek: Google Patches 83 Android Flaws in November Update
-http://www.eweek.com/security/google-patches-83-android-flaws-in-november-update
.html
SC Magazine: Android update patches 83 vulnerabilities
-https://www.scmagazine.com/android-update-patches-83-vulnerabilities/article/571
639/
NIST Pushes Up Publication Date for Systems Security Engineering Guidance (November 8, 2016)
The US National Institute of Standards and Technology (NIST) plans to release Special Publication 800-160, Systems Security Engineering, on November 15, several weeks ahead of schedule. The decision to move up the publication date was made, in part, by the recent wave of IoT-fueled distributed denial-of-service (DDoS) attacks. The publication urges organizations to include security in all stages of the systems engineering. The second public draft of the document released earlier this year.Read more in:
GCN: NIST bumps up release of security guidance
-https://gcn.com/articles/2016/11/08/nist-800-160-early-release.aspx?admgarea=TC_
SecCybersSec
INTERNET STORM CENTER TECH CORNER
Adobe Updates-https://helpx.adobe.com/security/products/connect/apsb16-35.html
-https://helpx.adobe.com/security/products/flash-player/apsb16-37.html
DoS Attack Turns off Heat for More then a Week
-http://www.hs.fi/kotimaa/a1478495966653
(finish only) DLink HNAP Vulnerability
-https://raw.githubusercontent.com/pedrib/PoC/master/advisories/dlink-hnap-login.
txt
PoC Exploits Available for Two MSFT Vulnerabilities
-https://github.com/tinysec/public/tree/master/CVE-2016-7255
-https://g-laurent.blogspot.com/2016/11/ms16-137-lsass-remote-memory-corruption.h
tml
OpenSSL Patch Pre-Announced
-https://mta.openssl.org/pipermail/openssl-announce/2016-November/000085.html
Hue Lightbulb Exploit/Worm
-http://iotworm.eyalro.net
(Sophos labels this link as "Spam", but appears to be harmless) ICMP Unreachable DoS Attacks
-https://isc.sans.edu/forums/diary/ICMP+Unreachable+DoS+Attacks+aka+Black+Nurse/2
1699/
OpenSSL 1.1.0 Patch
-https://www.openssl.org/news/secadv/20161110.txt
OWASP ModSecurity Core Rule Set Version 3.0.0 Release
-https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-November/
002265.html
***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
