Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #95

December 02, 2016

TOP OF THE NEWS

FBI's Expanded Surveillance Powers Take Effect
Destructive New Cyber Attacks Use Shamoon Wiper Malware Variant

THE REST OF THE WEEK'S NEWS

Avalanche Botnet Taken Down in Coordinated International Effort
Two-Year Prison Sentence for ISP Sabotage
Medical Implant Device Wireless Signaling Flaws
Mozilla and Tor Update Browsers to Fix Zero-Day Flaw
Gooligan Malware Targets Android Phones
PayPal Fixes OAuth Flaw
GSA's Technology Transformation Service Bug Issues Reporting Guidelines
NDAA Elevates Cyber Command to Full Combatant Command

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


************************** Sponsored By Splunk **************************

Did you know Splunk Enterprise Security is made up of distinct frameworks that can each be leveraged independently to meet specific security use cases?

Join this webinar to learn the technical details behind key Splunk Enterprise Security frameworks. Splunk experts will also discuss real-world examples and demo these frameworks. http://www.sans.org/info/190602

***************************************************************************

TRAINING UPDATE

--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands | https://www.sans.org/event/amsterdam-2016

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017

--SANS Online Training Get a MacBook Air or PC Laptop with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training: SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

FBI's Expanded Surveillance Powers Take Effect (November 30 & December 1, 2016)

An attempt by US legislators to block changes to the search and seizure provision of Rule 41 of the Federal Rules of Criminal Procedure did not succeed. The changes grant the FBI expanded surveillance powers, granting judges the authority to issue warrants that allows the government to remotely access computers outside the judge's jurisdiction, even outside the country, for the purpose of criminal investigations.


[Editor Comments ]



[Henry ]
With the caveat that I haven't drilled into this in great detail, my background and preliminary review says the headlines about "sweeping new authorities to hack" and all Americans getting "a chill down their spine" are somewhat exaggerated. Under current rules of criminal procedure, magistrates can only issue search warrants for computers located in their jurisdiction (the Eastern District of Virginia, for example.) That is a very limited geographic area. Today's intrusion and fraud investigations, many of which are facilitated through the adversaries' use of botnets, have devices located around the country in dozens of different jurisdictions. The primary focus of the rule change is to allow a magistrate, having been briefed on the investigation and the probable cause supporting a warrant, to issue search warrants in jurisdictions outside their own (rather than having agents in dozens of jurisdictions seek dozens of warrants from dozens of magistrates, all in support of the same investigation.)

The important piece here is that any access to a computer will still require a showing of probable cause that the device is an instrument of, or contains evidence of, a federal crime. It does not allow wanton and unrestrained access by the government to a device, but rather facilitates and expedites what today is a long and arduous process. I don't see this as an erosion of civil liberties or constitutional protections, which I fully and totally support, but rather a reasonable adjustment to the many law enforcement challenges evolving technology brings. As citizens, we must continuously evaluate the authorities we grant to our government. We should monitor and review to ensure those authorities are appropriately deployed, and that security is always weighed against privacy in a balanced way. We should assess this new rule change going forward, but on initial review I think that balance is met.


[Pescatore ]
Technology always moves faster than legislation, and the legislative responses always tends to overshoot. The operational use of the new authority under modified Rule 41 will drive the next round of legislative and judicial action - reasonable and targeted use in areas that do lead to apprehension of criminals and terrorists vs. wide scale operation that leads to self inflicted denial of service incidents or unnecessary personal information exposures, will lead to an overshoot in the opposite direction.


[Honan ]
As a non-US citizen this is another example of how the US government does not take into account the privacy rights of people outside of the US. I wonder how the US government will react when other countries implement similar legislation making it legal for foreign police forces to access computers belonging to US citizens.

Read more in:

ZDNet: FBI gains expanded hacking powers after lawmakers' attempts to block fail
-http://www.zdnet.com/article/fbi-gains-expanded-hacking-powers-after-congress-at
tempt-to-block-fails/


Computerworld: Senators fail to block rules allowing U.S. law-enforcement hacking
-http://computerworld.com/article/3146114/security/senators-fail-to-block-rules-a
llowing-us-law-enforcement-hacking.html

Destructive New Cyber Attacks Use Shamoon Wiper Malware Variant (December 1, 2016)

Shamoon wiper malware has resurfaced in recent attacks against government agencies in Saudi Arabia. Shamoon first appeared in 2012 when it was used in attacks against Saudi Aramco. The malware spreads by turning on file sharing and trying to connect to common network file shares.


[Editor Comments ]



[Assante ]
These incidents highlight the potential danger when successful intrusions go unchecked. The enablers for these attacks were previous penetrations where intruders successfully harvested user credentials from Windows domain administrators and other accounts that could unlock file shares used to spread. The attacks underscore the importance of building security programs that can reduce the amount of 'attacker free-time' in an environment.

Read more in:

Ars Technica: Shamoon wiper malware returns with a vengeance
-http://arstechnica.com/security/2016/12/shamoon-wiper-malware-returns-with-a-ven
geance/


Computerworld: Data-wiping malware strikes Saudi government agencies
-http://computerworld.com/article/3146355/security/data-wiping-malware-strikes-sa
udi-government-agencies.html


Dark Reading: Organizations In Saudi Arabia Reportedly Hit In Destructive New Shamoon Attacks
-http://www.darkreading.com/attacks-breaches/organizations-in-saudi-arabia-report
edly-hit-in-destructive-new-shamoon-attacks/d/d-id/1327617?


eWeek: Shamoon Malware Returns in New Attacks
-http://www.eweek.com/security/shamoon-malware-returns-in-new-attacks.html


*************************** SPONSORED LINKS *****************************

1) Don't Miss: Cyber Threat Intelligence: Hurricanes and Earthquakes. Learn more and Register Here: http://www.sans.org/info/190607

2) A Case Study: Developing an Innovative ICS Security Program and Real-Time OT Monitoring Capability for Oil and Gas Infrastructures. Register: http://www.sans.org/info/190612

3) Once breached at the endpoint, what does an attacker do? Where is he going? What does he want? Learn More: http://www.sans.org/info/190617

***************************************************************************

THE REST OF THE WEEK'S NEWS

Avalanche Botnet Taken Down in Coordinated International Effort (December 1, 2016)

US and European authorities worked together to take the Avalanche digital crime network out of service. The Avalanche botnet has been used to serve 20 different kinds of malware and to launch phishing attacks. More than 50 servers have been taken offline, and more than 800,000 domains associated with the Avalanche botnet have been sinkholed, blocked, or seized.


[Editor Comments ]



[Honan ]
Major Kudos to Europol and all other law enforcement agencies and companies involved in this takedown. It is a good example of how international public private partnerships can work to disrupt the work of criminals.

Read more in:

KrebsOnSecurity: 'Avalanche' Global Fraud Ring Dismantled
-https://krebsonsecurity.com/2016/12/avalanche-global-fraud-ring-dismantled/

Ars Technica: Legal raids in five countries seize botnet servers, sinkhole 800,000+ domains
-http://arstechnica.com/security/2016/12/legal-raids-in-five-countries-seize-botn
et-servers-sinkhole-800000-domains/


ZDNet: US, EU take down Avalanche cybercrime network
-http://www.zdnet.com/article/us-eu-take-down-avalanche-cybercrime-network/

The Register: Online criminals iced as cops bury malware-spewing Avalanche?
-http://www.theregister.co.uk/2016/12/01/cops_shutter_avalanche_dark_net/

Two-Year Prison Sentence for ISP Sabotage (December 1, 2016)

A US District Court judge in Pennsylvania has sentenced Dariusz Prugar to two years in prison for sabotaging a former employer's computer network. Prugar had worked as a network administrator for Pa Online, but was fired in June 2010. After losing his job, Prugar accessed the company's systems and installed backdoors and programs that erased files and directories, ultimately causing a network crash. Prugar has also been ordered to pay US $26,000 in restitution.

Read more in:

SC Magazine: Cybercrime blotter: Revenge hacker who downed Pa. ISP sentenced to 24 months
-https://www.scmagazine.com/cybercrime-blotter-revenge-hacker-who-downed-pa-isp-s
entenced-to-24-months/article/576093/

Medical Implant Device Wireless Signaling Flaws (December 1, 2016)

University researchers from Belgium and the UK have found security flaws in the wireless signaling systems used in medical implant devices. The radio-based communications systems are used to obtain information from the devices and to send commands to the devices to alter their activity. The researchers did not disclose the name of the manufacturer, but did say that the manufacturer has been notified and has updated the devices' software.

Read more in:

BBC: 'Fatal' flaws found in medical implant software
-http://www.bbc.com/news/technology-38169102

Paper: On the (in)security of the Latest Generation Implantable Cardiac Defibrillators and How to Secure Them
-https://securewww.esat.kuleuven.be/cosic/publications/article-2678.pdf

Mozilla and Tor Update Browsers to Fix Zero-Day Flaw (November 30 & December 1, 2016)

Mozilla has patched a remote code use-after-free memory flaw in the SVG animation library used by Firefox. The vulnerability was being actively exploited in attacks against the Tor Browser, which is based on Firefox. The flaw can be exploited to "de-anonymize" Tor users. Tor developers have also released an updated version of that browser to fix the problem. The issue has been fixed in Firefox 50.0.2, Firefox Extended Support Release 45.5.1, Thunderbird 45.5.1, and Tor Browser 6.0.7.

Read more in:

eWeek: Mozilla Patches Zero-Day Flaw in Firefox
-http://www.eweek.com/security/mozilla-patches-zero-day-flaw-in-firefox.html

Ars Technica: Mozilla and Tor release urgent update for Firefox 0-day under active attack
-http://arstechnica.com/security/2016/11/tor-releases-urgent-update-for-firefox-0
day-thats-under-active-attack/


ZDNet: Firefox zero-day: Mozilla, Tor issue critical patches to block active attacks
-http://www.zdnet.com/article/firefox-zero-day-mozilla-tor-issue-critical-patches
-to-block-active-attacks/


Computerworld: Firefox zero-day can be used to unmask Tor browser users
-http://computerworld.com/article/3145687/security/firefox-zero-day-can-be-used-t
o-unmask-tor-browser-users.html

Gooligan Malware Targets Android Phones (November 30 & December 1, 2016)

Malware known as Gooligan targets Android devices. It exploits a pair of zero-day plays in Android to obtain root access to the devices it infects. Gooligan then steals email addresses and authentication tokens. While the tokens could be used to gain access to information held in Google accounts, Gooligan instead uses the tokens to download certain apps to infected devices to increase advertising revenue.

Read more in:

The Register: Android-rooting Gooligan malware infects 1 million devices
-http://www.theregister.co.uk/2016/11/30/gooligan_android_malware/

ZDNet: Gooligan Android malware grabs a million Google account in huge Google Play fraud
-http://www.zdnet.com/article/gooligan-android-malware-grabs-a-million-google-acc
ounts-in-huge-google-play-fraud/


Wired: Gooligan malware attack hits one million Google accounts
-http://www.wired.co.uk/article/android-gooligan-ghost-push-hack

PayPal Fixes OAuth Flaw (November 28 & 30, 2016)

PayPal has fixed a flaw that could have been exploited to steal OAuth tokens for payment apps. The issue was in the OAuth token request and acquisition process, and could be exploited through phishing attacks.

Read more in:

The Register: PayPal proffers patch for OAuth app hack hole
-http://www.theregister.co.uk/2016/11/30/paypal_proffers_patch_for_oauth_app_hack
_hole/


ThreatPost: PayPal Fixes OAuth Token Leaking Vulnerability
-https://threatpost.com/paypal-fixes-oauth-token-leaking-vulnerability/122136/

GSA's Technology Transformation Service Bug Issues Reporting Guidelines (November 29, 2016)

The US General Services Administration's (GSA) Technology Transformation Service (TTS) has released a policy for reporting vulnerabilities found on certain US government computer systems. The policy aims to encourage people to report the flaws without fear of legal repercussions. It covers only certain domains; flaws found elsewhere are not covered by the policy. The guidelines and policy are similar to those recently issued by the US Department of Defense (DoD).


[Editor Comments ]



[Pescatore ]
The GSA policy is pretty much in line with a similar policy announced by DoD, and with widely accepted responsible disclosure norms and standards like ISO 29147. Important to note that such policies aren't just about what the vulnerability "finders" should do; the policy requires vulnerability "response" processes be implemented and staffed on the agency (or enterprise) side.

Read more in:

FCW: New 18F rules for bug hunters
-https://fcw.com/articles/2016/11/29/tts-bug-hunter-gunter.aspx

GitHub: GSA's Technology Transformation Service Vulnerability Disclosure Policy
-https://github.com/18F/vulnerability-disclosure-policy/blob/master/vulnerability
-disclosure-policy.md#vulnerability-disclosure-policy

NDAA Elevates Cyber Command to Full Combatant Command (November 29 & 30, 2016)

The final version of the US's fiscal 2017 National Defense Authorization Act (NDAA) elevates the US Cyber Command to full combatant status. Cyber Command is currently under the authority of US Strategic Command. Cyber Command will remain under the directorship of Adm. Mike Rogers, who also directs the NSA. That arrangement, known as "dual-hat leadership," will remain in effect until the secretary of Defense and the chairman of the Joint Chiefs of Staff have made an assessment that the change "will not pose risks to the military effectiveness of the United States Cyber Command that are unacceptable to the national security interests of the United States."

Read more in:

FCW: NDAA Elevates Cyber Command
-https://fcw.com/articles/2016/11/30/ndaa-cyber-elevates.aspx

The Hill: Annual defense bill elevates Cyber Command to combatant unit
-http://thehill.com/policy/cybersecurity/307990-annual-defense-bill-elevates-cybe
r-command-to-combatant-unit


INTERNET STORM CENTER TECH CORNER

Mirai/TR-069 Update: Deutsche Telekom Routers May have been DDoSed by Traffic Volume, not Exploit
-https://comsecuris.com/blog/posts/were_900k_deutsche_telekom_routers_compromised
_by_mirai/

Bitlocker Encrypted Drives Exposed During System Upgrade
-http://blog.win-fu.com/2016/11/every-windows-10-in-place-upgrade-is.html

Software-Only Defenses Against Rowhammer
-https://arxiv.org/abs/1611.08396

Mozilla Patches Firefox 0-Day (Exploit already available!)
-https://isc.sans.edu/forums/diary/Unpatched+Vulnerability+in+Firefox+used+to+Att
ack+Tor+Browser/21769/

SQL Slammer "Resurgence"?
-https://isc.sans.edu/forums/diary/Take+Back+Wednesday+SQL+Slammer+still+alive+bu
t+barely+kicking/21767/

Goolian Android Malware
-http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooliga
n/

Bypassing SAML 2.0 SSO
-http://research.aurainfosec.io/bypassing-saml20-SSO/

Webcast: The Six Most Dangerous New Cyber Attack Techniques
-https://cc.readytalk.com/registration/#/?meeting=9yq9nbx4tp7a&campaign=nggmj
hc39guc

Open Source Tool "Beamgun" Fights Rogue USB Devices on Windows
-https://github.com/JLospinoso/beamgun

"Shamoon" Malware is back with a new destructive attack against Saudi Arabia
-https://www.bloomberg.com/news/articles/2016-12-01/destructive-hacks-strike-saud
i-arabia-posing-challenge-to-trump

British ISP "KCOM" Suffering Outage After Attack
-http://www.hulldailymail.co.uk/kcom-blames-cyber-attack-for-thousands-losing-int
ernet-access-in-hull/story-29944084-detail/story.html#xf23rtZbUqlh5uXY.99

Microsoft Fixes Long Known Privilege Escalation Issue
-https://threatpost.com/microsoft-silently-fixes-kernel-bug-that-led-to-chrome-sa
ndbox-bypass/122179/



***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board