SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #93
November 22, 2016
TOP OF THE NEWS
Major Browsers Announce SHA-1 End-of-Support DatesUS Defense Dept. Vulnerability Disclosure Policy
Bill Would Delay Expanded Digital Search Powers for FBI
THE REST OF THE WEEK'S NEWS
Nebraska Irrigation District System Backups Diminish Ransomware's BiteQualcomm Bug Bounty Program
Justice Dept. Argues for Authority to Search Anonymized Computers
Three Mobile Breach
UK Man Pleads Guilty to Charges He Hired DDoS Service to Attack Business Rivals' Sites
Akamai Report Says Mirai Botnet Attacks are an Indication of Future Security Events
Firefox Focus Browser for iOS is All About Privacy
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER********************** Sponsored By Carbon Black ***********************
Available Now On Demand: Ready to Replace AV? Criteria to Evaluate NGAV Solutions Featuring Neil Boland, CISO at MLB and Greg Notch, SVP, NHL. Webcast registrants that register between 11/15/16 and 11/30/16 will be entered in a drawing for a complementary SANS Training Course of your choice sponsored by Carbon Black. Go to: http://www.sans.org/info/190322
(Travel & hotel expenses not included)
***************************************************************************
TRAINING UPDATE
--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016
--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands | https://www.sans.org/event/amsterdam-2016
--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017
--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017
--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017
--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017
--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017
--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017
--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017
--SANS Online Training Get a MacBook Air or PC Laptop with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.
--Single Course Training: SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/
***************************************************************************
TOP OF THE NEWS
Major Browsers Announce SHA-1 End-of-Support Dates (November 21, 2016)
Mozilla, Microsoft, and Google have all announced which builds of their browsers will herald the end of support for SHA-1. Firefox 51 and Chrome 56, scheduled for release in January 2017, and the February 14, 2017 releases of Microsoft's Edge and Internet Explorer 11 will no longer support SHA-1. Problems with the hashing algorithm have been known for more than 10 years.[Editor Comments ]
[Ullrich ]
The ssllabs.com site allows you to test whether your SSL configuration is up to date. This increase in SSL scrutiny will be a big problem for users who need to connect to older devices. Many older devices such as cameras and routers, but also IPMI "Lights Out" remote management consoles for servers, support only SHA-1 based certificates. Without SHA-1 support your browser will no longer be able to connect to SHA-1-only systems via SSL unless your browser allows you to override the warning (not all browsers allow this override!). Don't forget to test the new browser with some SHA-1 systems, and make sure to keep an old browser around, maybe inside a specific virtual machine, to connect. A similar problem arises with systems that require old versions of Java, or some older remote power controllers I have seen that support SSH (not SSL), but only ciphers that newer SSH clients do not support.
[Northcutt ]
: Could not happen soon enough. Now perhaps, with Certificate Transparency it will be safe to buy a pair of shoes on the Internet again:
-https://www.youtube.com/watch?v=1NsDKpkugR8
[Murray ]
I am not aware of any efficient attacks against it in all that time. One chooses strong algorithms more because they are cheap as for any security reason.
Read more in:
The Register: Microsoft plans St. Valentine's Day massacre SHA-1
-http://www.theregister.co.uk/2016/11/21/microsoft_to_massacre_sha1/
US Defense Dept. Vulnerability Disclosure Policy (November 21, 2016)
The US Department of Defense (DoD) has established a policy that allows researchers to report vulnerabilities in public-facing DoD websites without worrying about the possibility of prosecution. DoD is working with HackerOne, an organization that has helped establish bug bounty and vulnerability disclosure programs. The DoD program is not a bug bounty program. Defense Secretary Ash Carter calls it a digital "see something, say something" policy.[Editor Comments ]
[Honan ]
Bug Bounty and vulnerability disclosure programs are good initiatives to have in place. However, they should not be the only initiative to have in order to ensure your systems are secure. Good application security training, threat tree analysis, secure source code review and testing, vulnerability testing, and awareness of the SANS Top 25 Most Dangerous Software Errors, should all form part of an overall application security program.
Read more in:
Washington Post: Hackers can now report bugs in Defense Dept. websites without fear of prosecution
-https://www.washingtonpost.com/world/national-security/hackers-can-now-report-bu
gs-in-defense-dept-websites-without-fear-of-prosecution/2016/11/21/2605901a-b019
-11e6-840f-e3ebab6bcdd3_story.html
HackerOne: DoD Vulnerability Disclosure Policy
-https://hackerone.com/deptofdefense
Bill Would Delay Expanded Digital Search Powers for FBI (November 17, 2016)
US Senators have introduced a bill that would delay an update to Rule 42 of the Federal Rules of Criminal Procedure that grants the FBI extended powers to search computers in multiple jurisdictions. The change is scheduled to go into effect on December 1, 2016. The legislation would freeze the impending rule change until July 1, 2017.Read more in:
Nextgov: Senators Introduce Bill to Delay Expansion of FBI Hacking Powers
-http://www.nextgov.com/security/2016/11/senators-introduce-bill-delay-expansion-
fbi-hacking-powers/133260/?oref=ng-technology-news-all
Text of Proposed legislation
-http://www.nextgov.com/media/gbc/docs/pdfs_edit/111716jm1.pdf
*************************** SPONSORED LINKS *****************************
Available Now On Demand: Ready to Replace AV? Criteria to Evaluate NGAV Solutions Featuring Neil Boland, CISO at MLB and Greg Notch, SVP, NHL. Webcast registrants that register between 11/15/16 and 11/30/16 will be entered in a drawing for a complementary SANS Training Course of your choice sponsored by Carbon Black. Go to: http://www.sans.org/info/190322
(Travel & hotel expenses not included)
****************************************************************************
THE REST OF THE WEEK'S NEWS
Nebraska Irrigation District System Backups Diminish Ransomware's Bite (November 21, 2016)
When the computer system at the Central Platte (Nebraska) Natural Resources District became infected with ransomware, the irrigation district did not bother paying the attackers. The district's system backs up every 15 minutes, so no data were lost. The district has brought in experts to help determine what information the attackers accessed.[Editor Comments ]
[Murray ]
Backup is the protective measure of last resort. Not only is it useful against "Ransom Ware" attacks but against other difficult to anticipate risks. It is efficient, in part, because it protects against so many things and, in part, because computers do few things quite so well as they make cheap, dense, portable copies.
[Honan ]
A great example of how good operational security can enable better resilience to an attack. We need to focus more of ensuring the basics are implemented properly before looking for the latest and greatest next generation solution.
Read more in:
SC Magazine: Nebraska irrigation district thwarts ransomware attack with automatic backup
-https://www.scmagazine.com/irrigation-district-breached-refuses-to-pay-ransom/ar
ticle/574443/
Lincoln Journal Star: Hackers break into Nebraska irrigation district's computers
-http://journalstar.com/news/state-and-regional/nebraska/hackers-break-into-nebra
ska-irrigation-district-s-computers/article_7b55cbd5-f686-5bd8-9250-c69f66be99c7
.html
Qualcomm Bug Bounty Program (November 17 & 21, 2016)
Qualcomm has launched a bug bounty program, inviting researchers to hunt for security issues in its Snapdragon processors, LTE modems, and other products. Participation in the program is currently by invitation only.Read more in:
SC Magazine UK: Qualcomm launches bug bounty programme to find chip flaws
-http://www.scmagazineuk.com/qualcomm-launches-bug-bounty-programme-to-find-chip-
flaws/article/574220/
TechWeekEurope: Qualcomm Bug Bounty Offers Up To u12.10 For Snapdragon Flaws
-http://www.techweekeurope.co.uk/security/qualcomm-bug-bounty-boosted-for-snapdra
gon-flaw-spotting-200904
ZDNet: Qualcomm launches bug bounty program for Snapdragon chips, modems
-http://www.zdnet.com/article/qualcomm-launches-hardware-bug-bounty-program/
HackerOne: Qualcomm Vulnerability Rewards Program
-https://hackerone.com/qualcomm
Justice Dept. Argues for Authority to Search Anonymized Computers (November 21, 2016)
In a blog post, US Assistant Attorney General argues for the necessity of the rule change that grants officials the authority to search computers that are using anonymizing technology like Tor. A forthcoming DoJ blog post will address the issues of broadened scope of warrants.Read more in:
The Hill: DOJ defends new warrant rule for computer searches
-http://thehill.com/policy/cybersecurity/307038-doj-blog-without-new-evidence-rul
es-computer-investigations-nonsensical
DoJ: Blog: Ensuring Tech-Savvy Criminals Do Not Have Immunity From Investigation
-https://www.justice.gov/opa/blog/ensuring-tech-savvy-criminals-do-not-have-immun
ity-investigation
Three Mobile Breach (November 18 & 21, 2016)
UK mobile service provider Three Mobile has disclosed that a security breach compromised the personal information of nearly 134,000 customers. The company says that the compromised data do not include banking information. The attackers accessed the database with authorized login credentials. Three people have been arrested in connection with the breach.Read more in:
ZDNet: Three mobile confirms data breach: Company confirms data from 133,827 accounts could have been accessed
-http://www.zdnet.com/article/three-mobile-data-breach-company-confirms-data-from
-133827-accounts-could-have-been-accessed/
Register: Three Mobile, two alleged hackers, one big customer database heist
-http://www.theregister.co.uk/2016/11/18/three_mobile_two_hackers_one_big_data_br
each/
UK Man Pleads Guilty to Charges he Hired DDoS Service to Attack Business Rivals' Sites (November 21, 2016)
A UK man has been given a four-month suspended prison sentence and ordered to perform 180 hours of unpaid work for hiring a distributed-denial-of-service (DDoS) attack service to sabotage business rivals' websites. James Frazer-Mann, who operated a payday loan business, admitted to five counts of commissioning or encouraging offenses that prevent access to programs or documents held in a computer.Read more in:
BBC: Welsh loans boss paid hackers to hit rivals, court hears
-http://www.bbc.com/news/uk-wales-south-east-wales-38053494
The Guardian: Loan boss paid hackers to attack consumer website, court told
-https://www.theguardian.com/uk-news/2016/nov/21/loans-boss-paid-hackers-attack-c
onsumer-website-james-frazer-mann
Akamai Report Says Mirai Botnet Attacks are an Indication of Future Security Events (November 18, 2016)
Akamai's Q3 2016 State of the Internet/Security Report discusses the massive distributed denial-of-service (DDoS) attack against Dyn, which harnessed the power of IoT (Internet of Things) devices. A senior editor of the report describes Mirai as a "harbinger attack," one that heralds the increased scope and size of security events to come.Read more in:
FCW: Study backs IoT/DDoS concerns
-https://fcw.com/articles/2016/11/21/rockwell-akamai-study.aspx
Akamai: Q3 2016 State of the Internet/Security Report
-https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q3-2016-
state-of-the-internet-security-report.pdf
Firefox Focus Browser for iOS is All About Privacy (November 17 & 18, 2016)
Mozilla has launched a new browser for iOS. Firefox Focus aims to protect users' privacy. It blocks ad trackers, analytics trackers, and social trackers by default. All records of a browsing session can be deleted with one tap.[Editor Comments ]
[Murray ]
iOS is already a safer OS for browsing because, unlike desktop operating systems, it hides its file system from the browser. We should take a lesson from the iOS architecture and replace the general purpose browser with purpose-built apps.
Read more in:
V3: Firefox Focus browser for iOS launched with emphasis on privacy
-http://www.v3.co.uk/v3-uk/news/2477780/firefox-focus-browser-for-ios-launched-wi
th-emphasis-on-privacy
Tech Crunch: Mozilla Launched Firefox Focus, a private web browser for iPhone
-https://techcrunch.com/2016/11/17/mozilla-launches-firefox-focus-a-private-web-b
rowser-for-iphone/
INTERNET STORM CENTER TECH CORNER
Converting Timestamps with Epocalypse-https://isc.sans.edu/forums/diary/How+many+Epoch+times+Epocalypsepy+timestamp+co
nverter/21733/
SIP Disabled on Some Macbook Pros
-http://www.macrumors.com/2016/11/17/system-integrity-protection-disabled-macbook
-pro/
Spoofing Microsoft.com E-Mails with Outlook.com
-https://www.utkusen.com/blog/sending-valid-phishing-emails-from-microsoftcom.htm
l
Various High Profile Twitter Accounts Hijacked By Spammers
-https://www.engadget.com/2016/11/19/spammers-compromised-twitter-accounts-for-pl
aystation-and-other/
Dyn Attack Caused by Single Angry Playstation User
-http://www.wsj.com/articles/october-internet-attack-targeted-playstation-network
-researchers-say-1479250847
Encrypted ZIP File with Comments
-https://isc.sans.edu/forums/diary/ZIP+With+Comment/21737/
Siemens Surveillance Cameras Use Static Default Password
-https://ics-cert.us-cert.gov/advisories/ICSA-16-322-01
NTP Single Packet DoS Vulnerability
-http://dumpco.re/cve-2016-7434/
Windows 10 Does Not Provide the Same Protections as EMET
-https://insights.sei.cmu.edu/cert/2016/11/windows-10-cannot-protect-insecure-app
lications-like-emet-can.html
***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board