SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #96
December 06, 2016
TOP OF THE NEWS
NHS Hospital Trust In the UK Temporary Shut-Down Due to RansomwareBig New Botnet
Visa Pushes Back Gas Pump Chip Deadline
THE REST OF THE WEEK'S NEWS
UK Police Nab Suspect While Phone is UnlockedGuilty Plea in Tax Evasion Software Case
Chrome and WebView Updated to Address Certificate Validation Issue
Android Updates for December
Thieves Steal US $31 Million from Russian Central Bank
Russia Says it Thwarted Cyberattack Against Banks
Insurers, Cyberattacks, and Physical Damage
Misconfigured Storage Device Exposed Location of Oil Industry Explosives
President's Commission on Enhancing National Cyber Security Issues Final Report
Government Retiring Outdated Cyber Regulations
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*********************** Sponsored By Sophos Inc. *************************
Whitepaper: Exploits Intercepted - Exploits are one of the main techniques used by cybercriminals to spread malware. They take advantage of weaknesses in legitimate software to infect computers for their criminal ends. Read this paper to learn how new anti-exploit technology is an efficient and effective way to secure your organization against advanced and unknown threats. http://www.sans.org/info/190722
***************************************************************************
TRAINING UPDATE
--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands | https://www.sans.org/event/amsterdam-2016
--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017
--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017
--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017
--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017
--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017
--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017
--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017
--SANS Online Training Get a MacBook Air or PC Laptop with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.
--Single Course Training: SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/
***************************************************************************
TOP OF THE NEWS
NHS Hospital Trust In the UK Temporary Shut-Down Due to Ransomware (December 5, 2016)
A "major incident" that caused the Northern Lincolnshire and Goole NHS Foundation trust to temporarily suspend services for several days earlier this fall was determined to have been caused by ransomware. The infection caused the Trust to cancel 2,800 patient appointments. While the strain of ransomware used in the attack has been identified as Globe2, there are no details about how the malware came to be on the Trust's systems. A spokesperson said that the Trust did not pay the ransom.[Editor Comments ]
[Murray ]
It is time to re-architect enterprise data storage to resist ransom ware attacks. This will involve moving all enterprise data from the desktop to servers, resisting gratuitous write access, and more robust backup.
[Williams ]
Not paying a ransom is no badge of honor if your services were suspended for days. Even if the Trust had full backups, something appears to be broken in its disaster recovery process. The time to exercise a disaster recovery plan is before the incident, not after. Network segmentation is also critical in stopping the spread of ransomware.
Read more in:
ZDNet: Ransomware blamed for cyberattack which forced hospitals to cancel operations and shut down systems
-http://www.zdnet.com/article/ransomware-blamed-for-cyber-attack-which-forced-hos
pitals-to-cancel-operations-and-shut-down-systems/
Big New Botnet (December 2 & 5, 2016)
According to a report from CloudFlare, a massive new, as-yet-unnamed botnet has been launching attacks against organizations on the West Coast of the US. CloudFlare says the botnet is not related to Mirai. The new botnet was first detected on November 23. The attacks have been peaking at 400 Gbps and sustaining 300 Gbps for hours on end.[Editor Comments ]
[Murray ]
Obama to Trump "DDoS, IoT Top Cybersecurity Priorities for 45th President"
-https://krebsonsecurity.com/2016/12/ddos-iot-top-cybersecurity-priorities-for-45
th-president/
The Apple iOS apps illustrate how we should be designing appliances for safe use in the Internet. Most should be purpose-built-only and few, only the most robust, directly addressable from the Internet.
Read more in:
Computerworld: New botnet launching daily massive DDoS attacks
-http://computerworld.com/article/3147081/security/new-botnet-launching-daily-mas
sive-ddos-attacks.html
The Register: CloudFlare warns of another massive botnet, er, flaring up
-http://www.theregister.co.uk/2016/12/05/cloudflare_warns_massive_botnet/
Ars Technica: There's a new DDoS army, and it could soon rival record-setting Mirai
-http://arstechnica.com/security/2016/12/theres-a-new-ddos-army-and-it-could-soon
-rival-record-setting-mirai/
CloudFlare: The Daily DDoS: Ten Days of Massive Attacks
-https://blog.cloudflare.com/the-daily-ddos-ten-days-of-massive-attacks/
Visa Pushes Back Gas Pump Chip Deadline (December 2, 2016)
Visa has extended the deadline for installing chip readers on gas pump payment terminals to October 1, 2020. Originally, fuel station owners were supposed to have the devices in place by October 1, 2017, or assume total liability for fraudulent transactions conducted with a chip-and-pin cards. According to a statement from Visa, "the fuel segment has its own unique challenges," including the fact that some older pumps may need to be replaced and a lack of sufficient hardware and software. Brian Krebs notes that "the delay comes as some states ... are grappling with major increases in fuel station skimming attacks."[Editor Comments ]
[Pescatore ]
From a real risk perspective, the extension makes good business sense. The total volume of card numbers obtained from fuel pump skimming is very low, the growth in fuel pump skimmers is from a very low base. For example, the Arizona statistics cited show that 52 were discovered in the first 9 months of 2016 vs. 11 in all of 2015. That means it went from .06% of pumps to .26% of pumps and the numbers of cards actually compromised very likely grew much more slowly.
[Ullrich ]
The transition to EMV chip cards has caused widespread confusion among consumers. The loss of consumer confidence in electronic payment systems must be accounted for when considering the total cost of the EMV implementation. In addition, Visa has been accused of trying to take advantage of the transition to entrench its market position by routing debit transactions made with the new terminals over its network, causing higher fees for merchants.
[Murray ]
Fuel pumps, like ATMs, are special. They are unattended and can be used to capture both credit card numbers and PINs. They have high value transactions of a commodity so that they can also be used to monetize account numbers and PINs. As a result many stations do not permit debit transactions at the pump; have to "go inside" and treat like a cash transaction. This is in part because pumps are not as secure as ATMs, cannot protect PINs, and cannot resist changes to their programming. There are too few different locks, too many keys. All this is aggravated by the industry practice of putting credit card numbers in the clear on EMV cards. When BP rolled out chip and PIN to 800 pumps in the UK, compromised pumps were used to read the magnetic stripe and the PIN from chip cards. I have not yet seen a pump with a chip reader but I expect they will use the same dip reader, that the ATMs use, for both mag-stripe cards and chip and mag-stripe cards. As long as the mag-stripe is on the card, it is vulnerable and there is not an easy way to protect it.
Read more in:
KrebsOnSecurity: Visa Delays Chip Deadline for Pumps To 2020
-https://krebsonsecurity.com/2016/12/visa-delays-chip-deadline-for-pumps-to-2020/
Visa: EMV at the pump
-https://usa.visa.com/visa-everywhere/security/emv-at-the-pump.html
*************************** SPONSORED LINKS ***************************** 1) Whitepaper: Exploits Intercepted - learn how anti-exploit technology can efficiently and effectively secure your organization. http://www.sans.org/info/190727 2) Don't Miss: You Can't Stop What You Can't SOC. Register here: http://www.sans.org/info/190732 3) Hear about the moves an attacker can make to go from a compromised machine to achieve his goal from a statistical point of view. Register: http://www.sans.org/info/190737 ******************************************************************************
THE REST OF THE WEEK'S NEWS
UK Police Nab Suspect While Phone is Unlocked (December 5, 2016)
Police in London waited until a suspect's phone was unlocked before arresting him in a bid to gain access to information on the device without having to demand the password. The suspect allegedly manufactured phony payment cards using stolen data; the cards were then used to purchase luxury items.[Editor Comments ]
[Ullrich ]
Criminals are using a similar trick, by asking the victim first for directions (which are answered using the map on a phone) before taking the phone. Sometimes low tech attacks can be used to defeat sophisticated technical security measures.
[Pescatore ]
During active cases, smart timing of grabbing the bad guy is always best practice, and has proven to be beneficial in the long run compared to changing laws to allow any time/all the time access to suspect information.
Read more in:
SC Magazine UK: Met Police grab suspect with phone unlocked to get hold of data
-http://www.scmagazineuk.com/met-police-grab-suspect-with-phone-unlocked-to-get-h
old-of-data/article/576884/
Guilty Plea in Tax Evasion Software Case (December 5, 2016)
Washington State resident John Yin has pleaded guilty to wire fraud and conspiracy to defraud the government for selling point-of-sale systems that contained revenue-suppressing software that helped businesses underpay taxes. The software, called Tax Zapper, allowed businesses to underreport revenues. Yin has also been ordered to pay restitution of nearly US $3.5 million.Read more in:
Dark Reading: Software Salesman Pleads Guilty To PoS Scam
-http://www.darkreading.com/operations/software-salesman-pleads-guilty-to-pos-sca
m/d/d-id/1327634
US DOJ: Everett Software Salesman pleads Guilty to Selling 'Tax Zapper' Software to Enable Cheating on State and Federal Taxes
-https://www.justice.gov/usao-wdwa/pr/everett-software-salesman-pleads-guilty-sel
ling-tax-zapper-software-enable-cheating
Chrome and WebView Updated to Address Certificate Validation Issue (December 5, 2016)
A bug in Google's Chrome browser caused errors when users tried to access some HTTPS-enabled websites. The issue affected validation of certain SSL certificates issued by Symantec, Geotrust, and Thawte. The flaw was introduced in Chrome 53 and also affected the Android WebView component. Android users should update to version 55 of WebView, which was released on December 1. Google has made changes to Chrome 54 on Windows, Mac, Linux, and iOS and to Chromium and Chrome Custom Tabs to address the issue; it will be fully fixed in Chrome 55.Read more in:
Computerworld: Chrome bug triggered website errors with Symantec SSL certificates
-http://computerworld.com/article/3146719/security/chrome-bug-triggered-website-e
rrors-with-symantec-ssl-certificates.html
Android Updates for December (December 5, 2016)
Google's Android update for December addresses 74 security issues. Eleven of the flaws are deemed critical. As it has done for several months, Google is releasing two patch levels: 2016-12-01 is the partial level and 2016-12-15 is the complete level.Read more in:
eWeek: Google Patches Android for 74 Vulnerabilities in December Update
-http://www.eweek.com/security/google-patches-android-for-74-vulnerabilities-in-d
ecember-update.html
Ars Technica: Android 7.1.1 released for Pixel and (most) Nexus devices
-http://arstechnica.com/gadgets/2016/12/android-7-1-1-released-for-pixel-and-most
-nexus-devices/
Thieves Steal US $31 Million from Russian Central Bank (December 2 & 5, 2016)
Russia's central bank lost more than 2 billion rubles (US $31.3 million) in a digital attack. The thieves reportedly accessed the targeted accounts using faked credentials.Read more in:
Reuters: Russian central bank loses $31 million in cyber attack
-http://www.reuters.com/article/us-russia-cenbank-cyberattack-idUSKBN13R1TO?platf
orm=hootsuite
Russia Says it Thwarted Cyberattack Against Banks (December 2, 2016)
Russia's intelligence service said that foreign spies were trying to undermine confidence in the country's banking system. The country's Federal Security Service (FSB) says it thwarted an attack that was scheduled to occur on December 5.Read more in:
The Register: Russia accuses hostile foreign powers of plot to undermine its banks
-http://www.theregister.co.uk/2016/12/02/russia_bank_cyberattack_plot/
SC Magazine: Russian intelligence claims to bust up pending banking cyberattack
-https://www.scmagazine.com/russian-intelligence-claims-to-bust-up-pending-bankin
g-cyberattack/article/576727/
Insurers, Cyberattacks, and Physical Damage (December 3, 2016)
Insurance policies that offer protection from data breaches generally cover only direct costs rather than the value of the lost data. However, there is a growing gray area: cyber-attacks that cause damage that triggers other sorts of policies, such as those covering home, life, or commercial property. In instances of industrial control system (ICS) attacks that damage equipment, the loss is caused by cyber attack.[Editor Comments ]
[Murray ]
Few enterprises are equipped to identify their residual and insurable risks, much less purchase gapless and non-redundant coverage in the complex insurance market. Most really need to engage expert help.
[Williams ]
One of our clients received payouts under a loss-of-operations policy when they couldn't operate due to a cybersecurity event. The second round of Shamoon destructive malware attacks definitely highlights the need to think about how destructive cyber attacks (and collateral damage) will be covered by your insurance. Don't assume anything; ask your legal counsel to review policies to ensure coverage is adequate.
Read more in:
The Economist: Insurers grapple with cyber-attacks that spill over into physical damage
-http://www.economist.com/news/finance-and-economics/21711086-only-cyber-calamity
-will-reveal-how-ready-industry-insurers-grapple
Misconfigured Storage Device Exposed Location of Oil Industry Explosives (December 2, 2016)
A misconfigured storage drive belonging to Houston-based Allied-Horizontal Wireline Services (AHWS) exposed information about where the company stores explosives used in its oil drilling process. The device also exposed AHWS employee credentials and AHWS contracts with other companies. The company has fixed the problem.[Editor Comments ]
[Williams ]
Network attached storage devices are some of the most misconfigured and vulnerable devices I see in my consulting work. One device we recently audited has a VNC server listening and the VNC server can't be disabled by the user. The company says it's there for "engineering support." Even though storage appliance operation is completely turnkey, doesn't mean that security is.
Read more in:
SC Magazine UK: Misconfigured drive exposes locations of explosives used by oil industry
-http://www.scmagazineuk.com/misconfigured-drive-exposes-locations-of-explosives-
used-by-oil-industry/article/576575/
President's Commission on Enhancing National Cyber Security Issues Final Report (December 2, 2016)
The President's Commission on Cybersecurity has released its final report. Intended to serve as a transition guide for the next administration, the report calls for increasing cooperation between the government, the private sector, academia, and US citizens. It identifies six imperatives for enhancing cybersecurity: Protect, Defend, and Secure Today's Information Infrastructure and Digital Networks; Innovate and Accelerate Investment for the Security and Growth of Digital Networks and the Digital Economy; Prepare Consumers to Thrive in a Digital Age; Build Cybersecurity Workforce Capabilities; Better Equip Government to Function Effectively and Securely in the Digital Age; and Ensure an Open, Fair, Competitive, and Secure Global Digital Economy.[Editor Comments ]
[Pescatore]
Making sure there are fewer obsolete regulations and directives is a good first step, free up government CISO and auditor resources to focus on high leverage security issues. The next step, of course, is that actual focusing...
Read more in:
NIST: Commission on Enhancing National Cybersecurity: Report on Securing and growing the Digital Economy
-https://www.nist.gov/sites/default/files/documents/2016/12/02/cybersecurity-comm
ission-report-final-post.pdf
The Hill: President's Commission on Cybersecurity releases final report
-http://thehill.com/policy/cybersecurity/308594-presidents-commission-on-cybersec
urity-releases-final-report
Wired: Obama Has a Plan to Fix Cybersecurity, but its Success Depends on Trump
-https://www.wired.com/2016/12/obama-cybersecurity-plan/
SC Magazine: Presidential commission calls for collaborative action to combat cyber threats
-https://www.scmagazine.com/presidential-commission-calls-for-collaborative-actio
n-to-combat-cyber-threats/article/576756/
Government Retiring Outdated Cyber Regulations (December 1, 2016)
Federal CISO Gregory Touhill told an audience at the FireEye Cyber Defense Summit last week that White House cyber officials plan to retire more than 60 obsolete cybersecurity policy regulations. Some of the directives to be retired date back to the 1990s.Read more in:
Nextgov: White House Plans to Retire Outdated Cyber Regulations
-http://www.nextgov.com/security/2016/12/white-house-plans-retire-outdated-cyber-
regs/133542/?oref=ng-technology-news-all
INTERNET STORM CENTER TECH CORNER
CSP Bypass with Polyglot Images-http://blog.portswigger.net/2016/12/bypassing-csp-using-polyglot-jpegs.html
also see this Youtube video on Polyglot Images:
-https://www.youtube.com/watch?v=Ub5G_t-gUBc
Stack Overflow SQL Injection Questions
-https://laurent22.github.io/so-injections/
Mirai Update: More Outages and Vulnerable Chipset Identified
-http://www.theregister.co.uk/2016/12/02/broadband_mirai_takedown_analysis/
SEC503 Intrusion Detection in Depth in Brussles (Jan 2017):
-https://www.sans.org/event/brussels-winter-2017/course/intrusion-detection-in-de
pth
Video Walk Through: Analysing Hancitor Malicious Document
-https://isc.sans.edu/forums/diary/Hancitor+Maldoc+Videos/21783/
Rapid Distributed Credit Card Number Brute Forcing
-http://eprint.ncl.ac.uk/file_store/production/230123/19180242-D02E-47AC-BDB3-73C
22D6E1FDB.pdf
Cloudflare Detecting Large DDoS Attacks Over Thanksgiving / Cyber Monday
-https://blog.cloudflare.com/the-daily-ddos-ten-days-of-massive-attacks/
Free Windows Tool to Harden Networks: SAMRi10
-https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b
NY State Outlawing Automated Ticket Purchasing Software
-https://www.nysenate.gov/legislation/bills/2015/S8123
***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board