SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XVIII - Issue #97
December 09, 2016
TOP OF THE NEWS
NIST Report: Dramatically Reducing Software VulnerabilitiesReport: Priorities for Cyber Security at Nuclear Facilities
DoJ Will Seek Legislative Fix to Obtain Evidence Held Abroad
THE REST OF THE WEEK'S NEWS
ThyssenKrupp Discloses Data TheftTalkTalk Router Firmware Update is Inadequate
Sony Shuts Backdoor in Surveillance Cameras
Malware Writers Could Use Anti-Virus Exclusion Lists
Western Australia Auditor General Report: Agencies Need to Collaborate on Cybersecurity
Stegano Malvertising Attacks
Android Update Cleans Up Dirty COW and Fixes Qualcomm Chip GPS Almanac Flaw
IBM's Watson Beta to Help Fight Cybercrime
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*********************** Sponsored By Carbon Black *************************
Available Now On Demand: Ready to Replace AV? Criteria to Evaluate NGAV Solutions Featuring Neil Boland, CISO at MLB and Greg Notch, SVP, NHL. Go to:
http://www.sans.org/info/190822
***************************************************************************
--SANS Security East 2017 | New Orleans, LA | January 9-14, 2017 | https://www.sans.org/event/security-east-2017
--SANS Brussels Winter 2017 | Brussels, Belgium | Jan 16-21, 2017 | https://www.sans.org/event/brussels-winter-2017
--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017
--SANS Las Vegas 2017 | Las Vegas, NV | January 23-30, 2017 | https://www.sans.org/event/las-vegas-2017
--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017
--SANS Southern California - Anaheim 2017 | Anaheim, CA |February 6-11, 2017 | https://www.sans.org/event/anaheim-2017
--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017
--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017
--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017
--SANS Online Training
Get an iPad Air 2, Samsung Galaxy Tab A, or a $350 discount with all OnDemand https://www.sans.org/ondemand/specials and vLive https://www.sans.org/vlive/specials courses now.
--Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/
***************************************************************************
TOP OF THE NEWS
NIST Report: Dramatically Reducing Software Vulnerabilities (December 7, 2016)
The US National Institute of Standards and Technology (NIST) has released a report offering recommendations for coders to help reduce the instance of vulnerabilities in software. The report suggests five technical approaches: using math-based tools for code function verification; writing modular programs so one bad portion doesn't bring down the entire program; connecting code analysis tools; using appropriate programming languages; and creating evolving and changing tactics to protect code targeted in attacks.Read more in:
SC Magazine: NIST Report: Approaches to reduce software vulnerabilities
-https://www.scmagazine.com/nist-report-approaches-to-reduce-software-vulnerabili
ties/article/577211/
NIST: Dramatically Reducing Software Vulnerabilities (PDF)
-http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8151.pdf
Report: Priorities for Cyber Security at Nuclear Facilities (December 7, 2016)
A paper prepared for the 2016 IAEA International Conference on Nuclear Security "examines the growing cyber threat to nuclear facilities and provides priorities for governments and industry for protecting nuclear facilities from cyberattacks." The paper describes four priorities for action: Institutionalize Cyber Security; Mount an Active Defense; Reduce Complexity; and Pursue Transformation.Read more in:
NTI: Outpacing Cyber Threats: Priorities for Cyber Security at Nuclear Facilities
-http://www.nti.org/analysis/articles/outpacing-cyber-threats-priorities-cyber-se
curity-nuclear-facilities-paper/
DoJ Will Seek Legislative Fix to Obtain Evidence Held Abroad (December 8, 2016)
The US Department of Justice (DoJ) plans to submit a legislative fix that would allow it to demand evidence stored on servers in other countries. The action is designed to circumvent a court ruling which said that DoJ could not demand emails from Microsoft because they were held on a server in Ireland. The courts said that there must be an international agreement between the US and a foreign country for US officials to request data stored in that country.[Editor Comments ]
[Williams ]
While this is a predictable response to the court's ruling earlier this year, it is likely to persuade many organizations to place data centers overseas - in many cases to comply with host country laws. If this legislation passes, it will likely cause strain for companies who operate internationally. Complying with a DoJ request to move data from an overseas location to the US could subject the company to sanctions in the host country.
[Murray ]
It is simplistic to think that there is a "legislative fix" to this issue. Simply passing a law like the one suggested here will put American companies in a bind between US law and that of other countries in which they do business. It will make them even less welcome in the rest of the world.
Read more in:
The Hill: DOJ to propose 'legislative fix' on overseas digital evidence
-http://thehill.com/policy/cybersecurity/309478-doj-official-well-propose-legisla
tive-fix-on-overseas-digital-evidence
*************************** SPONSORED LINKS *****************************
1) Join this webinar to learn the technical details behind key Splunk Enterprise Security frameworks. http://www.sans.org/info/190827
2) Register to hear about intelligence-driven security operations programs and how they can become proactive, anticipatory, and adaptive. http://www.sans.org/info/190832
3) LAST CHANCE! Take the SANS 2016 Endpoint Protection Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/190837
******************************************************************************
THE REST OF THE WEEK'S NEWS
ThyssenKrupp Discloses Data Theft (December 8, 2016)
Thieves stole intellectual property from German steelmaker ThyssenKrupp earlier this year. The breach is believed to have occurred in February, but was not detected until April. Information was taken from the company's Industrial Solutions and Steel Europe divisions. According to an investigation, the attackers were from Southeast Asia.Read more in:
Computerworld: Cyberspies stole secrets from industrial giant ThysenKrupp
-http://computerworld.com/article/3148254/security/cyberspies-stole-secrets-from-
industrial-giant-thyssenkrupp.html
Reuters: ThyssenKrupp secrets stolen in 'massive' cyber attack
-http://www.reuters.com/article/us-thyssenkrupp-cyber-idUSKBN13X0VW
Dark Reading: Data Theft At ThyssenKrupp Highlights Industrial Espionage Threat
-http://www.darkreading.com/attacks-breaches/data-theft-at-thyssenkrupp-highlight
s-industrial-espionage-threat/d/d-id/1327675?
The Register: Real deal: Hackers steal steelmaker trade secrets
-http://www.theregister.co.uk/2016/12/08/hackers_steal_steelmaker_secrets/
TalkTalk Router Firmware Update is Inadequate (December 6, 7 and 8, 2016)
Several ISPs, including TalkTalk, are being urged to replace customers' wireless routers. Attackers have been stealing Wi-Fi keys from the vulnerable routers. TalkTalk released a firmware update that failed to adequately address the problem. In a related story, TalkTalk routers in the UK are being infected with Mirai botnet software.Read more in:
The Register: Mirai variant turns TalkTalk routers into zombie botnet agents
-http://www.theregister.co.uk/2016/12/08/talktalk_routers_may_be_botnet_imperva_s
ays/
SC Magazine: TalkTalk customers urged to get routers swapped over hacker fears
-https://www.scmagazine.com/talktalk-customers-urged-to-get-routers-swapped-over-
hacker-fears/article/577736/
The Register: Hackers actively stealing Wi-Fi keys from vulnerable routers
-http://www.theregister.co.uk/2016/12/06/wifi_looting_router_hacking/
Sony Shuts Backdoor in Surveillance Cameras (December 6 and 8, 2016)
Sony has released a firmware update to close backdoors on approximately 80 models of its network security cameras. The hard-coded default credentials could be exploited to execute code, take control of vulnerable devices, disrupt device functions, spy on device owners, and to be recruited into botnets.[Editor Comments ]
[Williams ]
As we come to the end of 2016, it's high time for the problem of hard coded credentials to be long gone. The FTC needs to start fining companies who release hard coded credentials in their products with extra fines going to those who hard code privileged credentials.
Read more in:
The Register: Sony kills off secret back door in 80 internet-connected CCTV models
-http://www.theregister.co.uk/2016/12/06/sony_ip_camera_backdoor/
Computerworld: Backdoor accounts found in 80 Sony IP security camera models
-http://computerworld.com/article/3147671/security/backdoor-accounts-found-in-80-
sony-ip-security-camera-models.html
KrebsOnSecurity: Researchers Find Fresh Fodder for IoT Attack Cannons
-https://krebsonsecurity.com/2016/12/researchers-find-fresh-fodder-for-iot-attack
-cannons/
ZDNet: Backdoor vulnerabilities discovered in Sony IP cameras
-http://www.zdnet.com/article/backdoors-discovered-in-sony-ip-cameras/
Malware Writers Could Use Anti-Virus Exclusion Lists (December 7, 2016)
Malware creators could use anti-virus exclusion lists to target certain organizations. The exclusion lists from software vendors describe which files and directories anti-virus products should ignore to avoid false positives. In essence, it's a whitelist of permitted processes, which could allow attackers to tailor their malware to infiltrate systems through processes that will not be stopped by anti-virus software.[Editor Comments ]
[Henry ]
This is the primary reason to focus on adversary tactics rather than trying to "block" all malware. Adversaries continuously seek to circumvent security protocols and counter enhanced defenses, and identifying them through the use of their developing techniques allows for faster detection and mitigation.
[Williams ]
Malware putting itself in an antivirus whitelist upon infecting a machine is nothing new - we've seen it in a number of compromises. But there's a Catch 22 for attackers: the presence in the AV whitelist is itself an indicator of compromise (IOC) that can be used to find attackers in the network.
[Shpantzer ]
We must assume some clients will be compromised. Particularly sensitive clients are paradoxically also often the least protected re: patching/hardening and agents on the box. This demands network security such as segmentation and segregation in a highly monitored pod, with traffic tightly restricted.
Read more in:
The Register: Crims using anti-virus exclusion lists to send malware to where it can do most damage
-http://www.theregister.co.uk/2016/12/07/clever_crims_using_av_exclusion_lists_as
_malware_safe_harbour/
Western Australia Auditor General Report: Agencies Need to Collaborate on Cybersecurity (December 7, 2016)
A report from the Western Australia Office of the Auditor General (OAG) that networks at all six audited agencies had "experienced numerous attempted attacks and malware downloads." The OAG made recommendations for each of the agencies. The report does not disclose the agency-specific recommendations, but it does note "the need for agencies to employ layered controls with constant monitoring and improvement," and recommends that the Western Australia public sector should "consider methods to foster collaboration, information and resource sharing between agencies."[Editor Comments ]
[Shpantzer ]
Collaboration, also known as threat intelligence sharing, is one way to make security better, but should not supersede the basics. The Australian government already knows what needs to be done, AKA the ASD Top 35, specifically the first four, so focus on collaboration that shares best ways to implement those controls...
Read more in:
ZDNet: WA Auditor General recommends inter-agency cooperation to counter malware
-http://www.zdnet.com/article/wa-auditor-general-recommends-inter-agency-cooperat
ion-to-counter-malware/
Western Australia Gov: Malware in the WA State Government
-https://audit.wa.gov.au/wp-content/uploads/2016/12/report2016_28-Malware.pdf
Stegano Malvertising Attacks (December 6 and 7, 2016)
A malvertising attack dubbed Stegano has been targeting popular news websites. The malware makes its way onto users' computers through pixels in banner ads displayed on booby-trapped websites. The malware does not infect every computer that visits the site; instead, it chooses its targets. Stegano redirects machines to an exploit kit that takes advantage of several vulnerabilities in Flash. The campaign was detected by ESET.[Editor Comments ]
[Hoelzer ]
A very clever example of delivering malware in a completely innocuous binary form; encoded images + ubiquitous Javascript. If endpoint security tools are detected, decoding/execution is terminated; this really makes the case for the need for endpoint protection tools on *every* computer, even those who are very careful in their usage and browsing habits.
[Shpantzer ]
Go to the welivesecurity URL below (the ESET report) and at the very end, see the domains included in the campaign. Run those against your DNS logs going back as far as you can. You do have DNS logs, right?
Read more in:
Computerworld: Malicious online ads expose millions to possible hack
-http://computerworld.com/article/3147908/security/malicious-online-ads-expose-mi
llions-to-possible-hack.html
Ars Technica: Millions exposed to malvertising that hid attack code in banner pixels
-http://arstechnica.com/security/2016/12/millions-exposed-to-malvertising-that-hi
d-attack-code-in-banner-pixels/
SC Magazine: Stegano malvertising campaign invades major news websites, warns report
-https://www.scmagazine.com/stegano-malvertising-campaign-invades-major-news-webs
ites-warns-report/article/577446/
ESET: Readers of popular websites targeted by stealthy Stegano exploit kit hiding in pixels of malicious ads
-http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-steal
thy-stegano-exploit-kit-hiding-pixels-malicious-ads/
Android Update Cleans Up Dirty COW and Fixes Qualcomm Chip GPS Almanac Flaw (December 6 and 7, 2016)
Google's most recent Android update fixes a new variant of the Dirty COW privilege escalation exploit as well as a vulnerability in the way Android downloads GPS satellite data. The Dirty COW flaw could be exploited to gain root privileges on vulnerable devices. The GPS issue affects Android devices with certain Qualcomm chipsets. Some implementations of the technology that helps devices use an almanac of satellites to find GPS signals could be exploited in a man-in-the-middle attack because they use unencrypted an unauthenticated HTTP rather than HTTPS.Read more in:
SC Magazine: Android Dirty Cow flaw swept clean in latest security bulletin
-https://www.scmagazine.com/dirty-cow-vulnerability-patched-in-latest-android-bul
letin/article/577385/
Computerworld: Latest Android security update fixes Dirty COW, GPS vulnerabilities
-http://www.computerworld.com/article/3147879/security/latest-android-security-up
date-fixes-dirty-cow-gps-vulnerabilities.html
The Register: Android, Qualcomm move on insecure GPS almanac downloads
-http://www.theregister.co.uk/2016/12/07/android_qualcomm_move_on_insecure_gps_al
manac_downloads/
IBM's Watson Beta to Help Fight Cybercrime (December 6, 2016)
Forty companies have been named to take part in IBM's Watson for Cyber Security beta. The cognitive computing technology will be used to address computer and network security issues. IBM began training Watson in the fundamentals of cybersecurity months ago. Watson is intended not to replace humans, but to help people identify cybersecurity threats.Read more in:
Wired: IBM's Watson Now Fights Cybercrime in the Real World
-https://www.wired.com/2016/12/ibm-watson-for-cybersecurity-beta/
ZDNet: IBM Watson AI: These firms are fighting cybercrime using cognitive computing
-http://www.zdnet.com/article/ibm-watson-ai-these-firms-are-fighting-cybercrime-u
sing-cognitive-computing/
eWeek: IBM Watson for Cyber Security Expands with Beta Launch
-http://www.eweek.com/security/ibm-watson-for-cyber-security-expands-with-beta-la
unch.html
V3: IBM names 40 companies in IBM Watson for Cyber Security Beta
-http://www.v3.co.uk/v3-uk/news/2479181/ibm-names-40-companies-in-ibm-watson-for-
cyber-security-beta
INTERNET STORM CENTER TECH CORNER
Attacking NoSQL Applications-https://isc.sans.edu/forums/diary/Attacking+NoSQL+applications/21787/
Heap Buffer Overflow in Encase Forensic Imager
-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20161128-
0_Guidance_Software_Encase_DoS_heap_buffer_overflow_vulnerabilities_v10.txt
Raspbian To Increase Default Security
-https://www.raspberrypi.org/blog/a-security-update-for-raspbian-pixel/
SONY Camera Backdoor
-https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20161206-
0_Sony_IPELA_Engine_IP_Cameras_Backdoors_v10.txt
Attackers are using AV Exclusion Lists to Bypass AV
-http://www.theregister.co.uk/2016/12/07/clever_crims_using_av_exclusion_lists_as
_malware_safe_harbour/
Android Update Patches "Dirty Cow"
-https://source.android.com/security/bulletin/2016-12-01.html
"Goldeneye" Ransomware May Use Stolen Data For Realistic E-Mails
-https://www.heise.de/security/meldung/Goldeneye-nutzt-Informationen-vom-Arbeitsa
mt-fuer-aeusserst-gezielte-Angriffe-3564386.html
Firefox Cross Domain Cookie Vulnerability
-https://insert-script.blogspot.ch/2016/12/firefox-svg-cross-domain-cookie.html
Domaincops Malware
-https://isc.sans.edu/forums/diary/Good+Cop+Bad+Cop+Domain+Cop/21795/
Yahoo Mail Persistent XSS
-https://klikki.fi/adv/yahoo2.html
Trend Office Scan False Positives
-https://www.reddit.com/r/sysadmin/comments/5gs2gv/anyone_else_also_affected_by_a
_deleted/
Linux Privilege Escalation due to af_packet.c race condition
-http://seclists.org/oss-sec/2016/q4/607
***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board