Cyber Skills Training at SANS Rocky Mountain Fall 2017. Save $400 thru Aug. 2.

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #100

December 20, 2016

TOP OF THE NEWS

Ukrainian Electric System Reportedly Attacked Again
US Election Assistance Commission Investigating Breach
Turkish Bank Hit in SWIFT-Related Attack
Cybersecurity Challenges at the US State Level

THE REST OF THE WEEK'S NEWS

Data Breach Insurance Claims Up in 2016
US Congressional Report Says Use of Stingrays May Be Unconstitutional
Bayrob Malware Suspects Extradited
DISA May Release Source Code for New Background Investigation System; Reorganizes DoD Data Centers
South Carolina Bill Would Require Porn Filters on New Computers
Ubuntu Linux Flaws Fixed
Approach Used to Reduce Cyberattacks From China May Not Work with Russia
US Military eMail System Attacked in August 2015

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*********** Sponsored By Trend Micro Inc. ***********

Trend Micro has published its 2017 Security Predictions report for your reference into what to expect next year around ransomware, business email compromise as well as something wex92re calling business process compromise among other threats we expect to be troublesome for businesses next year. Read our report here. http://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/20
17


***************************************************************************

TRAINING UPDATEx2028x2028

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017

--SANS Online Training: Get an iPad Air 2, Samsung Galaxy Tab A, or a $350 discount with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training

SANS Mentorhttps://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

Ukrainian Electric System Reportedly Attacked Again (December 18 & 20, 2016)

Recent reports from Ukrainian media have indicated an increasing trend in malicious cyber-activity including distributed denial-of-service (DDoS) attacks on government websites and payment systems, and new report today of a new possible cyber-attack on the Ukraine electric system. But this time is different - where the previous attacks impacted only the electric distribution system, this latest attack is reported to have resulted in the de-energizing of a transmission-level substation.


[Assante ]
It is still to early, but if the outage is confirmed to have been the result of a successful cyber-attack, the differences between this event and the confirmed events of December 2015 are significant. Impacting an electric distribution system is likely to result in loss of power to a limited geographic area. Impacting the electric transmission system has the potential to affect a wider geographic area, causing cascading outages with the potential to damage extremely expensive and difficult to replace electric system components.

Read more in:


-https://ics.sans.org/blog/2016/12/20/how-do-you-say-ground-hog-day-in-ukrainian/


-http://ukrhotnews.com/2016/12/18/night-blackout-part-of-kiev-could-happen-due-to
-cyber-attacks-ukrenergo/



-http://en.interfax.com.ua/news/economic/391359.html

US Election Assistance Commission Investigating Breach (December 15 & 16, 2016)

The US Election Assistance Commission (EAC) has issued a statement saying it is investigating "a potential intrusion into an EAC web-facing application." The incident was detected when EAC computers access credentials were found for sale on an underground market. Some of the accounts would give users administrative privileges.

Read more in:

The Register: US voting machine certification agency probes potential hackx2028
-http://www.theregister.co.uk/2016/12/16/us_election_agency_hacked/

EAC: EAC Reports Potential Breach of Web-Facing Application
-https://www.eac.gov/eac_reports_potential_breach_of_web-facing_application/

Turkish Bank Hit in SWIFT-Related Attack (December 16, 2016)

Turkey's Akbank was targeted in a financial fraud scheme involving the SWIFT global funds transfer system. The incident will cost the bank no more than US $4 million, as any remaining losses would be covered by insurance. The bank says the December 8 attack did not compromise customer data.

Read more in:

Reuters: Turkey's Akbank faces $4 million fit from attempted cyber heist
-http://www.reuters.com/article/us-akbank-cyber-idUSKBN1450MC

Cybersecurity Challenges at the US State Level (December 16, 2016)

A study from the Pell Center for International Relations and Public Policy last year found that of the eight most populous US states, none was "cyber ready," or adequately equipped to defend its systems against and recover from cyber attacks. A September 2016 study from Deloitte-NASCIO found that while some states are gaining a keener awareness of the importance of cybersecurity, the systems that states have been introducing in the name of helping constituents actually introduce additional cyber risks.

Read more in:

GCN: Are states ill-equipped to manage cybersecurity?x2028
-https://gcn.com/blogs/cybereye/2016/12/state-defenses.aspx?admgarea=TC_SecCybers
Sec


Pell Center: State of the States on Cybersecurity (November 2015) (PDF)
-http://pellcenter.org/wp-content/uploads/2015/11/State-of-the-States-Report.pdf

NASCIO: 2016 Deloitte-NASCIO Cybersecurity Studyx2028
-http://www.nascio.org/Publications/ArtMID/485/ArticleID/413/2016-Deloitte-NASCIO
-Cybersecurity-Study-State-Governments-at-Risk-Turning-Strategy-and-Awareness-in
to-Progress



*************************** SPONSORED LINKS *****************************

1) Don't Miss: Packet Capture + Flow Analytics = Holistic Network Visibility. Register: https://www.sans.org/webcasts/packet-capture-plus-flow-analytics-holistic-networ
k-visibility-103832


2) Looking for a solution to your security issue? Visit the SANS Affiliate Directory for a list of vendors who may be able to help! www.sans.org/u/mhu

3) Cyber Threat Intelligence Survey - Take the SANS 2017 Cyber Threat Intelligence Survey and enter to win a $400 Amazon Gift Card! https://www.surveymonkey.com/r/2017SANSCTISurvey

******************************************************************************

THE REST OF THE WEEK'S NEWS

Data Breach Insurance Claims Up in 2016 (December 19, 2016)

According to data from CFC Underwriting, the company handled more than 400 cyber breach policy claims in 2016. The majority of claims are from cases involving data breaches and money transfer schemes.


[Editor Comments ]



[Honan ]
Cyber insurance should be viewed as a control to reduce the financial impact of a security breach rather than a means to prevent the breach. Saying that, I do see cyber insurance companies demanding better security from their clients as those insurance companies become more accurate at identifying and quantify the cyber-risks.


[Northcutt ]
Cybersecurity risk insurance is limited and it is important to read the fine print. Here are a few articles from SANS to get you started:

Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey:
-https://www.sans.org/reading-room/whitepapers/analyst/bridging-insurance-infosec
-gap-2016-cyber-insurance-survey-37062


Quantifying Risk: Closing the Chasm Between Cybersecurity and Cyber Insurance:
-https://www.sans.org/reading-room/whitepapers/analyst/quantifying-risk-closing-c
hasm-cybersecurity-cyber-insurance-36770


Cyber Risk Insurance:
-https://www.sans.org/reading-room/whitepapers/legal/cyber-risk-insurance-1412


[Shpantzer ]
Interesting to note that about one out of six claims (16%) are related to ransomware. Did that category even exist in last year's report?]


Read more in:

BBC: Insurers handling 'hundreds' of breach claims
-http://www.bbc.com/news/technology-38346427

The Register: Cyber insurance brokers: If it makes you feel any better, 2016 was not our year either
-http://www.theregister.co.uk/2016/12/19/cyber_insurance_claims_rise/

US Congressional Report Says Use of Stingrays May Be Unconstitutional (December 19, 2016)

According to a report from the US House Committee on Oversight and Reform, the use of cell site simulators, also known as Stingrays, by law enforcement may be unconstitutional. The report reads: "Absent proper oversight and safeguards, the domestic use (of Stingrays) may well infringe upon the constitutional tights of citizens to be free from unreasonable searchers and seizures." The report recommends that state and local police follow US Justice Department and Department of Homeland security policies, which require that law enforcement agents obtain a warrant prior to using the surveillance technology. It also asks that state and local law enforcement be forthright with the courts regarding the use of Stingrays.

Read more in:

Computerworld: Stingray use could be unconstitutional, House report finds
-http://computerworld.com/article/3151984/security/stingray-use-could-be-unconsti
tutional-house-report-finds.html


US House: Law Enforcement Use of Cell-Site Simulation Technologies: Privacy Concerns and Recommendations
-https://oversight.house.gov/wp-content/uploads/2016/12/THE-FINAL-bipartisan-cell
-site-simulator-report.pdf

Bayrob Malware Suspects Extradited (December 16 & 19, 2016)

Three people arrested in Romania earlier this year have been extradited to the US to face charges related to "a cyber fraud conspiracy" that stole at least USA $4 million from victims. A 21-count indictment against the three people was unsealed last week. The schemes have been operating since 2007, according to Symantec. The malware used in the schemes is known as Bayrob.

Read more in:

The Register: Bayrob: Romanian auction fraud suspects extradited to US
-http://www.theregister.co.uk/2016/12/19/bayrob_cybercrime_suspects_extradited/

US Justice Department: Three Romanian nationals indicted in cyber fraud case in which they infected 60,000 computers, sent out 11 million malicious emails and stole at least $4 million
-https://www.justice.gov/usao-ndoh/pr/three-romanian-nationals-indicted-cyber-fra
ud-case-which-they-infected-60000-computers

DISA May Release Source Code for New Background Investigation System; Reorganizes DoD Data Centers (December 19, 2016)

After the US Office of Personnel Management suffered major breaches exposing sensitive information belonging to people who had applied for security clearances, the government directed the Defense Department (DoD) to develop an information technology backbone to securely hold and manage security clearance data. The Defense Information Systems Agency (DISA) is considering releasing the project's underlying source code when the National Background Investigation System is complete. DISA has also reorganized the 11 DoD data centers it manages to standardize the way business is conducted.


[Editor Comments ]



[Shpantzer ]
A thousand eyes makes all bugs shallow? Hasn't that been proven incorrect many times in various open source?

Read more in:

Federal News Radio: DISA looks to open source to squash cyber bugs, reorganizes its data centers
-http://federalnewsradio.com/dod-reporters-notebook-jared-serbu/2016/12/disa-look
s-open-source-squash-cyber-bugs-reorganizes-data-centers/

South Carolina Bill Would Require Porn Filters on New Computers (December 19, 2016)

A bill introduced in South Carolina would require companies making and selling computers in that state to install filters to prevent users from accessing porn and other sexual content. The goal is to prevent access to sites facilitating prostitution and human trafficking. The South Carolina House Judiciary Committee will consider the bill when legislators reconvene in January.


[Editor Comments ]



[Williams ]
Not likely to work: (1) the porn filters would have to integrate with browsers and would be unlikely to meet the same security standards as other software, (2) challenges of securely updating block lists, etc., and (3) allowing end users to pay to remove the porn filter can lead to an underground "free porn filter remover" economy, similar to illicit keygen programs, most laced with malware.

Read more in:

ZDNet: New state bill wants to put porn blocks on new computers
-http://www.zdnet.com/article/new-state-bill-wants-porn-blocks-on-new-computers/

Ars Technica: South Carolina will debate bill to block porn on new computers
-http://arstechnica.com/tech-policy/2016/12/south-carolina-will-debate-bill-to-bl
ock-porn-on-new-computers/

Ubuntu Linux Flaws Fixed (December 18, 2016)

A remote code execution vulnerability in Ubuntu could be exploited to crash vulnerable systems or run malware. Ubuntu's default crash handler and reporting system Apport does not "properly sanitize the Package and SourcePackage fields in crash files before processing them." Several other vulnerabilities could be exploited to allow remote code execution and obtain root privileges. Fixes for the flaws have been released.

Read more in:

ZDNet: Serious Ubuntu Linux desktop bugs found and fixed
-http://www.zdnet.com/article/serious-ubuntu-linux-desktop-bugs-found-and-fixed/

Canonical Group Ltd.: Arbitrary code execution through crafted CrashDB or PackageSource files in .crash files
-https://bugs.launchpad.net/apport/+bug/1648806

Approach Used to Reduce Cyberattacks From China May Not Work with Russia (December 16, 2016)

Over the last year, there has been a discernable drop in the level of state-sponsored cyberattacks against US targets emanating from China. The shift is believed to be the result of the US's response to the attacks, which involved legal action against named suspects in attacks against US companies and threatened trade sanctions, which resulted in a 2015 agreement signed by the presidents of both countries. The attacks against US systems coming from Russia may not be so easy to rein in. Crowdstrike CTO Dmitri Alperovitch notes that "We need to stop thinking of solving cyber problems purely through cyber means ...
[and instead ]
think about the underlying problems."


[Editor Comments ]



[Henry ]
This reiterates the philosophy that there are two ways to stop attacks (which holds true in both the physical and digital world) and working solely to eliminate vulnerabilities will never work. While we must force manufactures to bake in security, and hold network owners responsible for maintaining their systems, mitigating the actual threat actors is a necessary action. This can best be done via law enforcement actions, diplomatic, or economic sanctions. Unfortunately, while those efforts may have positive results against some nation-state adversaries, they will not be effective across every threat actor profile and enhanced detection and response will be an organization's best defense.

Read more in:

Wired: Obama Curbed Chinese Hacking, but Russia Won't be so Easy
-https://www.wired.com/2016/12/obama-russia-hacking-sanctions-china/

US Military eMail System Attacked in August 2015 (December 15, 2016)

In an interview with CBS News, retired Chairman of the Joint Chiefs of Staff Martin Dempsey described an August 2015 attack against the Joint Chiefs' email system. Dempsey learned of the attack through a phone call from National Security Agency (NSA) Director Mike Rogers. The attackers managed to obtain network access credentials belonging to hundreds of senior officers. The attack is believed to have come from Russia, possibly as retaliation for economic sanctions imposed in response to the country's actions in Crimea and Ukraine. Read more in:

CBS News: Russian hack almost brought the U.S. military to its kneesx2028
-http://www.cbsnews.com/news/russian-hack-almost-brought-the-u-s-military-to-its-
knees/


INTERNET STORM CENTER TECH CORNER

Verizon Webmail XSS Exploit
-https://randywestergren.com/persistent-xss-verizons-webmail-client/

Blocking Powershell Connections via Windows Firewall
-https://isc.sans.edu/forums/diary/Blocking+Powershell+Connection+via+Windows+Fir
ewall/21829/

Exploit Kits Delivering Cerber Ransomware
-https://isc.sans.edu/forums/diary/One+if+by+email+and+two+if+by+EK+The+Cerbers+a
re+coming/21823/

More Security Companies joining "No More Ransom"
-https://www.nomoreransom.org

IT Contractor Trying to Take Over Radio Station
-https://regmedia.co.uk/2016/12/16/kcohvtaylorfiling.pdf

Holiday Safe Computing Tips
-https://isc.sans.edu/forums/diary/Holiday+Safe+Computing+Tips/21827/

Mirai Likely Behind Port 6789 Scans. Yet Another Backdoor
-https://isc.sans.edu/forums/diary/Mirai+Scanning+for+Port+6789+Looking+for+New+V
ictims/21833/

OpenSSH update
-https://www.openssh.com/releasenotes.html#7.4

Google Releases Tool to Audit Crypto Libraries
-https://security.googleblog.com/2016/12/project-wycheproof.html

Escaping A Restricted Shell
-https://humblesec.wordpress.com/2016/12/08/escaping-a-restricted-shell/


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board