Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #92

November 18, 2016

TOP OF THE NEWS

Experts Testify Before Congress About IoT Security
UK's Investigatory Powers Bill Passes Parliament
Ransomware with a Mission
Backdoor on Android Phones

THE REST OF THE WEEK'S NEWS

Russian Authorities Block LinkedIn
Drupal Patches Flaws in Core Versions 7 and 8
Director of National Intelligence Clapper Resigns
One-Third of Websites are Still Using SHA-1
PoisonTap Breaks Into Locked Computers
Mozilla Updates Firefox Consumer Version and Firefox ESR
Cybersecurity Profile for Oil Industry Supply Chain
Guilty Plea in TalkTalk Case

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


********************** Sponsored By Carbon Black ***********************

Available Now On Demand: Ready to Replace AV? Criteria to Evaluate NGAV Solutions Featuring Neil Boland, CISO at MLB and Greg Notch, SVP, NHL. Webcast registrants that register between 11/15/16 and 11/30/16 will be entered in a drawing for a complementary SANS Training Course of your choice sponsored by Carbon Black. Go to: http://www.sans.org/info/190082

(Travel & hotel expenses not included)

***************************************************************************

TRAINING UPDATE

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands | https://www.sans.org/event/amsterdam-2016

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017

***************************************************************************

--SANS Online Training

Get a MacBook Air or PC Laptop with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials courses now.)

Single Course Training:

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

Experts Testify Before Congress About IoT Security (November 16, 2016)

Experts told the US House Committee on Energy and Commerce that action must be taken to secure the Internet of Things (IoT). Among the ideas raised were consequences for manufacturers that release products with inadequate security; a federally-funded IoT testing laboratory; and a new federal agency focused on cybersecurity. The committee hearing was a post-mortem of the distributed denial-of-service (DDoS) attack against Dyn last month that caused a number of popular websites to experience temporary outages.


[Editor Comments ]



[Murray ]
The IoT is global, not local. It is not a problem that even smart government can be expected to fix (and we have opted for the other kind.) Courtney's First Law reminds us that not all "things" are the same and do not all have the same security requirements. One useful distinction is between those devices intended to be directly addressable (Operable? Repairable?) from the public networks and those intended for use only on private networks. Another useful distinction is between those devices intended to be remotely repairable, with a correspondingly large attack surface and those which can simply be discarded or disabled if broken. A device priced in dimes to dollars need not be repairable at all, much less remotely so. Finally, we might well distinguish between active devices, e.g., thermostats, drones, and passive ones, e.g., thermometers, baby monitors.

Read more in:

Computerworld: U.S. lawmakers balk at call for IoT security regulations
-http://www.computerworld.com/article/3141803/security/us-lawmakers-balk-at-call-
for-iot-security-regulations.html


Dark Reading: Security Experts Call For Regulation On IoT Cybersecurity
-http://www.darkreading.com/iot/security-experts-call-for-regulation-on-iot-cyber
security/d/d-id/1327505


The Register: Experts to Congress: You must act on IoT security. Congress: Encourage industry to develop best practices, you say?
-http://www.theregister.co.uk/2016/11/16/experts_to_congress_you_must_act_on_iot_
security_congress_encourage_industry_to_develop_best_practices_you_say/


The Hill: GOP chairman open to some regulation of Internet devices
-http://thehill.com/policy/cybersecurity/306418-house-subcommittee-chair-regulati
on-of-internet-connected-devices-not

UK's Investigatory Powers Bill Passes Parliament (November 17, 2016)

Britain's Parliament has passed the Investigatory Powers Bill, a controversial surveillance law that grants UK intelligence agencies what some have called "overreaching, draconian and intrusive" authority to snoop on citizens. The bill is expected to become law before the end of the calendar year. It compels Internet service providers (ISPs) to retain every customer's browsing history for up to a year; grants intelligence agencies the authority to gather "bulk personal datasets," which could include information belonging to individuals not associated with an investigation; and requires companies to decrypt information upon demand.


[Editor Comments ]


Read more in:

ZDNet: Britain has passed the 'most extreme surveillance law ever passed in a democracy'
-http://www.zdnet.com/article/snoopers-charter-expansive-new-spying-powers-become
s-law/


V3: Snoopers' Charter to become law after Lords give up amendment fight
-http://www.v3.co.uk/v3-uk/news/2477584/snoopers-charter-to-become-law-after-lord
s-give-up-amendment-fight


SC Magazine UK: The Investigatory Powers Bill is now set to become law
-http://www.scmagazineuk.com/the-investigatory-powers-bill-is-now-set-to-become-l
aw/article/573616/

Ransomware with a Mission (November 16, 2016)

Ransoc ransomware looks for evidence that a computer has been used to search for or access child pornography and uses that information in its payment demand. Victims are threatened with legal action and with having their activity publicly exposed. The criminals using Ransoc accept credit card payments, a brash approach because the transactions are easily traced.

Read more in:

SC Magazine: Ransoc ransomware uses clever tactics to target pedophiles
-https://www.scmagazine.com/vigilante-ransomware-targets-pedophiles-torrent-users
/article/573511/


The Register: New Ransoc extortionists hunt for actual child abuse material
-http://www.theregister.co.uk/2016/11/16/ransoc_extortionware/

Backdoor on Android Phones (November 15, 2016)

Firmware on certain Android devices has been found to contain a backdoor that has been used to send personal data, including text messages and call records, to servers in China. The issue affects certain low-cost Android phones manufactured in China. The software appears to have been developed for devices sold on the Chinese market and was inadvertently introduced in other markets.

Read more in:

Ars Technica: Chinese company installed secret backdoor on hundreds of thousands of phones
-http://arstechnica.com/security/2016/11/chinese-company-installed-secret-backdoo
r-on-hundreds-of-thousands-of-phones/


CNET: Low-cost Android phones collected calls, texts without permission
-https://www.cnet.com/news/popular-low-cost-android-phones-have-been-collecting-u
ser-data-without-permission/


KrebsOnSecurity: Chinese IoT Form Siphoned Text Messages, Call Records
-https://krebsonsecurity.com/2016/11/chinese-iot-firm-siphoned-text-messages-call
-records/



*************************** SPONSORED LINKS *****************************

1) Wish you could triple your security team? There's a better way. The right technology can be your force multiplier. Register: http://www.sans.org/info/190087

2) Don't Miss: Redefining Endpoint Incident Response with Behavioral Analysis. Register: http://www.sans.org/info/190092

3) Integration is key to comprehensive prevention, detection, response and continuous improvement. Tell us how integrated or disparate your processes are in this survey: http://www.sans.org/info/190097

***************************************************************************

THE REST OF THE WEEK'S NEWS

Russian Authorities Block LinkedIn (November 17, 2016)

Russia's communications regulator, Roskomnadzor, has ordered Internet service providers (ISPs) to block access to LinkedIn after a court in that country found that the company had violated data storage laws. A 2014 Russian law requires companies that handle Russian citizens' data process those data within Russia.

Read more in:

BBC: LinkedIn blocked by Russian authorities
-http://www.bbc.com/news/technology-38014501

Computerworld: Russia Orders ISPs to block LinkedIn
-http://www.computerworld.com/article/3142580/data-privacy/isps-ordered-to-block-
linkedin-in-russia.html


V3: Russia begins blocking LinkedIn after data storage court clash
-http://www.v3.co.uk/v3-uk/news/2477030/russia-to-block-access-to-linkedin-over-d
ata-storage-concerns

Drupal Patches Flaws in Core Versions 7 and 8 (November 17, 2016)

Drupal has released fixes for four vulnerabilities in Drupal core versions 7 and 8. The content management systems provider says that two of the flaws are "moderately critical." One of those flaws could be exploited to redirect users to third-party websites; the other could be exploited to cause denial-of-service conditions. Users are encouraged to upgrade to Drupal core versions 7.52 or 8.2.3.

Read more in:

SC Magazine: Drupal corrects four flaws in core CMS offering
-https://www.scmagazine.com/drupal-corrects-four-flaws-in-core-cms-offering/artic
le/573640/


Drupal: Advisory: Drupal Core - Moderately Critical - Multiple Vulnerabilities - SA-Core-2016-005
-https://www.drupal.org/SA-CORE-2016-005

Director of National Intelligence Clapper Resigns (November 17, 2016)

US Director of National Intelligence James Clapper has submitted his resignation letter. The news does not come as a surprise, as Clapper has long said that he would tender his resignation at the end of President Obama's term in office.

Read more in:

The Hill: Spy chief James Clapper resigns
-http://thehill.com/policy/national-security/306527-spy-chief-james-clapper-resig
ns


Ars Technica: Director of National Intelligence James Clapper resigns
-http://arstechnica.com/tech-policy/2016/11/director-of-national-intelligence-jam
es-clapper-resigns/


Wired: America's Top Spy Talks Snowden Leaks and Our Ominous Future
-https://www.wired.com/2016/11/james-clapper-us-intelligence/

One-Third of Websites are Still Using SHA-1 (November 17, 2016)

Thirty-five percent of websites worldwide are still using the SHA-1 hashing algorithm. The deadline for eliminating the use of SHA-1 certificates is fast approaching. Starting January 1, 2017, some browsers will stop trusting certificates signed with SHA-1.


[Editor Comments ]



[Murray ]
Fortunately for us, crypto is stronger than we need for it to be. While SHA-1 is theoretically vulnerable to attack, few of those attacks are efficient. That said, there are more efficient measures and those should be used in infrastructure.

Read more in:

Dark Reading: As Deadline Looms, 35 Percent Of Web Sites Still Rely On SHA-1
-http://www.darkreading.com/operations/as-deadline-looms-35-percent-of-web-sites-
still-rely-on-sha-1/d/d-id/1327522?

PoisonTap Breaks Into Locked Computers (November 16 & 17, 2016)

Samy Kumar has released schematics and code for a proof-of-concept device called PoisonTap. Once attached to the targeted computer through a USB port, PoisonTap exploits the fact that operating systems trust DHCP information to trick it into thinking the device is an Ethernet connection.


[Editor Comments ]



[Ullrich ]
This problem is similar to users connecting to untrusted WiFi networks. While the exploit isn't new, this "package" makes is much easier to exploit this vulnerability then before. Note that this is not limited to USB based network interfaces, but other interfaces like Firewire or Thunderbolt could be abused in the same way, so locking down USB ports may not be sufficient.


[Northcutt ]
The stakes for physical security just went up. If someone can get access to a USB port, they can almost certainly get access to the operating system. It is very unlikely users are going to close their browsers when they walk away from their computer. And even if the browsers could find a way to eliminate this particular attack, it will not be long until there are variants. Seems like the two best countermeasures are to restrict guest and contractor access in office buildings and to consider a cloud-based browser like Authenti8 Silo.

Read more in:

Wired: Wickedly Clever USB Stick Installs a Backdoor on Locked PCs
-https://www.wired.com/2016/11/wickedly-clever-usb-stick-installs-backdoor-locked
-pcs/


The Register: PoisonTap fools your PC into thinking the whole Internet lives in an rPi
-http://www.theregister.co.uk/2016/11/17/poisontap_contains_the_whole_internet_or
_so_your_computer_thinks/


SC Magazine: This is PoisonTap, Kamkar tool can hack locked PCs
-https://www.scmagazine.com/this-is-poisontap-kamkar-tool-can-hack-locked-pcs/art
icle/573512/


The Hill: Researcher says $5 device can hack locked computers
-http://thehill.com/policy/cybersecurity/306318-masterful-5-device-can-hack-locke
d-macs-pcs

Mozilla Updates Firefox Consumer Version and Firefox ESR (November 16, 2016)

Mozilla has updated two versions of its Firefox browser. Consumer version is now version 50, and enterprise version ESR is now version 45.5. The update for the consumer version of Firefox includes fixes for 27 issues, three of which have been rated critical. The update for Firefox ESR includes fixes for nine vulnerabilities, two of which have been rated critical.

Read more in:

SC Magazine: Firefox browsers updated for security bugs
-https://www.scmagazine.com/firefox-browsers-updated-for-security-bugs/article/57
3335/


Mozilla: Advisory: Security vulnerabilities fixed in Firefox 50
-https://www.mozilla.org/en-US/security/advisories/mfsa2016-89/

Mozilla: Advisory: Security vulnerabilities fixed in Firefox ESR 45.5
-https://www.mozilla.org/en-US/security/advisories/mfsa2016-90/

Cybersecurity Profile for Oil Industry Supply Chain (November 15, 2016)

The Maritime Bulk Liquids Transfer Cybersecurity Framework Profile was developed to help oil industry supply chain facilities secure systems that control valves, pumps, and sensors involved in transferring liquids onto and off of shipping vessels. Developed by the US Coast Guard, the National Institute of Standards and Technology, and oil industry supply chain stakeholders, the guidance offers "a pathway for integrating the
[NIST Cybersecurity ]
Framework into organizations operations."


[Editor Comments ]



[Murray ]
Broad general guidance is proving to be less effective than one might have hoped. It seems likely that the more specific guidance is, the more likely it is to be effective and efficient.

Read more in:

GCN: Cybersecurity for the oil industry supply chain
-https://gcn.com/articles/2016/11/15/maritime-port-cybersecurity.aspx?admgarea=TC
_SecCybersSec


USGC: Maritime Bulk Liquids Transfer Cybersecurity Framework Profile
-http://www.uscg.mil/hq/cg5/cg544/docs/Maritime_BLT_CSF.pdf

Coast Guard: Release of Maritime Bulk Liquids Transfer Cybersecurity Framework Profile
-http://mariners.coastguard.dodlive.mil/2016/11/10/release-maritime-bulk-liquids-
transfer-cybersecurity-framework-profile/

Guilty Plea in TalkTalk Case (November 15, 2016)

A UK teenager has pleaded guilty to seven charges under the Computer Misuse Act for his role in the TalkTalk data breach. He was arrested last year and will be sentenced in December. He is the first of six people arrested in connection with the attack to be charged.

Read more in:

The Guardian: Boy who hacked TalkTalk website was 'showing off to mates'
-https://www.theguardian.com/uk-news/2016/nov/15/boy-who-hacked-talktalk-website-
was-showing-off-to-mates


SC Magazine: 17-year-old pleads guilty to offences linked to TalkTalk hack
-http://www.scmagazineuk.com/17-year-old-pleads-guilty-to-offences-linked-to-talk
talk-hack/article/572994/


INTERNET STORM CENTER TECH CORNER

Vulnerability in LUKS Can Be used to Boot Encrypted Linux Systems
-http://betanews.com/2016/11/15/linux-security-bug-cryptsetup-luks/

Shazam Keeps Microphone Turned on Even While not "Listening"
-https://objective-see.com/blog/blog_0x13.html

nginx Privilege Escalation Vulnerability (Debian Only)
-http://legalhackers.com/advisories/Nginx-Exploit-Deb-Root-PrivEsc-CVE-2016-1247.
html

Russian Malspam Distributing Troldesh Ransomware
-https://isc.sans.edu/forums/diary/Malspam+distributing+Troldesh+ransomware/21717
/

Symantec Patches Untrusted DLL Loading Vulnerability
-https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=securi
ty_advisory&pvid=security_advisory&year=&suid=20161115_00

VMWare Patches VM Escape Vulnerablity
-http://www.vmware.com/security/advisories/VMSA-2016-0019.html

Some Android Phones Leak Data To China
-http://www.prnewswire.com/news-releases/kryptowire-discovered-mobile-phone-firmw
are-that-transmitted-personally-identifiable-information-pii-without-user-consen
t-or-disclosure-300362844.html

Phishers Protect Phishing Sites from Security Researchers
-https://isc.sans.edu/forums/diary/Example+of+Getting+Analysts+Researchers+Away/2
1721/

Fedora / Chrome Automatic Downloads and Code Execution
-https://scarybeastsecurity.blogspot.de/2016/11/0day-poc-risky-design-decisions-i
n.html

Volutility Version 1.0 Released
-https://techanarchy.net/2016/11/volutility-version-1-0-release/

iOS Synchronizing Call Logs via iCloud
-http://www.forbes.com/sites/thomasbrewster/2016/11/17/iphone-call-logs-in-icloud
-warns-elcomsoft-hackers/#5d96b21c2936



***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board