Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #10

February 3, 2017


Last Week's WordPress Update Included an Undisclosed Critical Vulnerability
Schneider Releases Fix for Flaw in StruxureWare Data Center Expert
SWIFT Urges Member Banks to Adopt Stronger Security Measures


Australian Nuclear Scientists' Data Compromised
U.S. Treasury Dept. Eases Sanctions on Russian Security Service
Cellular Location Data Protection Varies from State to State in U.S.
Google on Bringing KrebsOnSecurity into Project Shield
Netherlands Will Count Ballots by Hand
More Netgear Router Flaws
Fix Available for Cisco Prime Home Vulnerability
OpenSSL Security Update
Czech Government Officials Hit by Cyber Attacks



*************************** Sponsored By Malwarebytes ********************

Party with Malwarebytes at RSA Conference 2017! Visit us in Booth #2319 in the South Hall to get the latest on advanced-threat detection and incident response. And don't miss the Malwarebytes Crush Party. Mingle with your security peers at the SFMOMA on Tuesday, February 14. RSVP Today: http://www.sans.org/info/191897



--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017

--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017

--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017

--SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017

--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/



Last Week's WordPress Update Included an Undisclosed Critical Vulnerability (February 2, 2017)

WordPress fixed a fourth, undisclosed (at the time) vulnerability in last week's update. The update notes included information about three issues, all rated moderate. The fourth security issue, which is rated severe, was not mentioned because it was so severe that the company deemed it more important to patch against it before it became known. The unauthenticated privilege escalation vulnerability affects WordPress's REST API and could be exploited to modify the content of posts and pages on WordPress sites. The WordPress update was automatically pushed out.

[Editor Comments ]

[Paller ]
Content management systems vulnerabilities (like this one in WordPress) are currently the most common method by which web sites are infected and made to compromise all visitors. In other words they enable broad compromises of unsuspecting users at sites that can no longer be trusted.

[Ullrich ]
Not releasing vulnerability details may give users a chance to patch before exploits are developed. But at the same time, patching is risky and a patch may not be applied at all if there is no clear security benefit. It is important that vendors provide clear guidance and are open in announcing security flaws addressed by particular updates.

[Williams ]
Updates were automatic for only some of the users. While automatic updates are now the default for WordPress, many clients don't use the feature because of potential plugin compatibility issues breaking the web site. This one is a "patch now" bug. Defacements, malicious links, and depending on blog settings persistent XSS are possible exploitation outcomes.

Read more in:

WordPress: Disclosure of Additional Security Fix in WordPress 4.7.2

ZDNet: WordPress: Why we didn't tell you about a big zero-day we fixed last week

Computerworld: WordPress silently fixes dangerous code injection vulnerability

The Register: WordPress fixed god-mode zero day without disclosing the problem

Schneider Releases Fix for Flaw in StruxureWare Data Center Expert (February 2, 2017)

A patch is now available for a vulnerability in Schneider Electric's StruxureWare Data Center Expert industrial control kit, which is used to monitor physical infrastructure at data centers. The flaw could be exploited to access unencrypted passwords from RAM on the client side, where they are not encrypted. Customers are urged to upgrade to StruxureWare Data Center Expert version 7.4.

[Editor Comments ]

[Murray ]
Many vulnerabilities result from the generality and flexibility of the development platforms used, others from the complexity of the task. This one is the result of ignorance of good practice, and poor supervision. It started with the understanding of requirements and the expression of design. It is bad enough when this results in risk to an enterprise writing code for its own use, much worse when the risk is to the infrastructure. We remain a long way from the point where software development can be called "engineering."

Read more in:

The Register: Another Schneider vuln: Plaintext passwords on client-side RAM resolved

Schneider Electric: Security Notification - Data Center Expert Software

SWIFT Urges Member Banks to Adopt Stronger Security Measures (February 1, 2017)

The February 2016 USD 81 million theft from Bangladesh's central bank, followed by a string of other thefts, prompted SWIFT to launch a customer security program, providing guidelines for member financial institutions as well as adopt two-factor authentication and updating to new SWIFT software. SWIFT itself was not breached, but attackers stole member institutions' SWIFT credentials which allowed them to conduct the fraudulent transactions. A SWIFT official noted that the efforts have thwarted some recent attacks.

[Editor Comments ]

[Murray ]
SWIFT is only the messenger, but their brand has been badly tarnished by the practices of their users. Advice seems to the their only tool. While security is expensive, advice is cheap. Everything looks cheap when the other guy has to do it.

Read more in:

SC Magazine: Bank Account-ability SWIFT demands action from members as threat of cyberheists looms large

*************************** SPONSORED LINKS ********************************

1) Discover the latest global application threat data and actionable intelligence with F5 Labs. http://www.sans.org/info/191902

2) Many organizations have recognized the need for a comprehensive incident management platform. Register to learn more: http://www.sans.org/info/191907

3) An organization discovered commodity malware in their environment that transformed into a targeted attack. Register to learn more: http://www.sans.org/info/191912



Australian Nuclear Scientists' Data Compromised (February 3, 2017)

A computer breach at the Australian Nuclear Science and Technology Organisation's (ANSTO) Australian Synchrotron particle accelerator compromised the usernames and passwords of scientists who use the system.

[Editor Comments ]

[Williams ]
If ANSTO's statements are taken at face value, theirs is a success story that begins and ends with proper network segmentation. Proper segmentation is a game changer and can stop small problems from becoming really big problems (nuclear problems in the case of ANSTO).

Read more in:

The Register: Particle accelerator hacked: Boffins' hashed passwords beamed up

U.S. Treasury Dept. Eases Sanctions on Russian Security Service (February 2, 2017)

The U.S. Department of the Treasury has issued a license that eases sanctions against Russia's Federal Security Service, paving the way for U.S. companies to export IT products to that country.

Read more in:

ZDNet: Treasury loosens Russia sanctions to ease encrypted tech blockade

The Hill: Treasury amends Russian sanctions to allow U.S. tech exports

USA Today: U.S. eases restrictions on cyber-security sales to Russian spy agency

CNET: Trump eases Russia sanctions to allow US electronics exports

U.S. Dept. of the Treasury: Publication of Cyber-related General License

Cellular Location Data Protection Varies from State to State in U.S. (February 2, 2017)

In some U.S. states, police can obtain cell-site location data without a warrant under the third-party doctrine which says that if people give their information to a third-party, they have no reasonable expectation of privacy. Six states have laws on the books that require warrants for all cell-site location data; three other states require warrants only for real-time tracking. Law enforcement has also sought data from an Amazon Echo smart speaker and from Sirius XM satellite radios.

Read more in:

Wired: Police Could Get Your Location Data Without a Warrant. That Has to End

Google on Bringing KrebsOnSecurity into Project Shield (February 2, 2017)

In a presentation at the Enigma security conference earlier this week, a Google security engineer described the process of bringing KrebsOnSecurity into Project Shield after Kreb's site became the target of massive distributed denial-of-service (DDoS) attacks last fall. Project Shield is a free service that uses Google technology to protect news, journalist, human rights, and election monitoring sites, from DDoS attacks on the web.

Read more in:

Ars Technica: How Google fought back against a crippling IoT-powered botnet and won

Netherlands Will Count Ballots by Hand (February 1 & 2, 2017)

The Dutch government has said that ballots in the country's parliamentary election scheduled for March 15, 2017, will be counted by hand to assuage concerns that digital tabulation systems could be compromised. Intelligence agencies have cautioned that elections in France, Germany, and the Netherlands could be at risk of manipulation.

[Editor Comments ]

[Murray ]
History suggests that efficient election fraud is always in the tabulating and reporting phases rather than in recording phase. While this procedure may "assuage" fear, it may introduce a vulnerability where there was none. "Security is a space where intuition does not serve us well."

[Northcutt ]
I am a fan of hand counted ballots for now. I believe it is possible to create a safe and reasonable voting machine, but so far, that is not a priority.




Read more in:

Reuters: Dutch will hand count ballots due to hacking fears

SC Magazine: Dutch revert to an all-paper ballot, fearing election hack

The Register: Netherlands reverts to hand-counted votes to quell security fears

More Netgear Router Flaws (January 30 & February 1, 2017)

A pair of flaws that affect 31 models of Netgear routers could be exploited to access or bypass passwords and take control of vulnerable devices. Netgear has released firmware updates for most of its vulnerable routers, and has provided workarounds for older models.

[Editor Comments ]

[Murray ]
The popularity of Netgear routers, coupled with their record of implementation-induced vulnerabilities, has now become a reason not to use them.

Read more in:

Dark Reading: Netgear Addresses Password Bypass Vulns In 31 Router Models

SC Magazine: 31 models of Netgear routers found vulnerable; could be hacked to form botnet

Trustwave: CVE-2017-5521: Bypassing Authentication on NETGEAR Routers

Trustwave: Multiple Vulnerabilities in NETGEAR Routers

Netgear: Web GUI Password Recovery and Exposure Security Vulnerability

Fix Available for Cisco Prime Home Vulnerability (February 1 & 2, 2017)

Cisco has released a patch to fix a critical remote code execution flaw in Cisco Prime Home automated configuration server, which communicates with subscriber devices using the TR-069 protocol. The vulnerability could be exploited to gain administrative privileges and take control of customers' home routers. Cisco is urging Internet service providers (ISPs) and others using the vulnerable systems to update as soon as possible.

[Editor Comments ]

[Ullrich ]
Cisco Prime Home is equipment typically deployed by ISPs; they will have to deploy the patch. Consumers will most likely not be able to do so. The TR-069 protocol and its cousins have caused issues in the past. For example, the Mirai botnet exploited routers that wrongly exposed TR-064. Unlike TR-064, which is only meant for LAN side configuration, TR-069 is used by ISPs to configure devices, and is supposed to provide for authentication. But in this case, authentication wasn't implemented correctly.

Read more in:

Computerworld: Cisco patches critical flaw in Prime Home device management server

The Register: Home-pwners: Cisco's Prime Home lets hackers hijack people's routers, no questions asked

OpenSSL Security Update (January 26 & 31, 2017)

OpenSSL has released a security update that fixes three vulnerabilities that could be exploited to cause denial-of-service conditions. In the first vulnerability, a truncated packet can crash the system via an out-of-bounds read; in the second, bad Diffie Hellman parameters in DHE/ECDHE mode could crash clients; the third involves a carry propagating bug in the x86_64 Montgomery squaring procedure.

Read more in:

The Register: OpenSSL pushes trio of DOS-busting patches

OpenSSL: OpenSSL Security Advisory
[26 Jan 2017 ]


Czech Government Officials Hit by Cyber Attacks (January 31, 2017)

A series of breaches has compromised email accounts of several high-ranking Czech officials, including the Foreign Minister. The Czech government believes that the attacks bear the hallmark of a nation-state effort. The intruders allegedly stole thousands of files.

Read more in:

The Guardian: Czech cyber-attack: Russia suspected of hacking diplomats' emails

The Hill: Nation-state suspected in hacking of Czech foreign minister


py2exe Decompiling Part 2

Telemarketer Leaks Call Recordings

Facebook Introduces Delegated Recovery Protocol

Another Cisco WebEx Update

Cryptkeeper Does Not Correctly Encrypt Folders

Fileless UAC Bypass Used to Drop Keybase Malware

Apple Removes Activation Lock Test Tool After Abuse

Multiple Vulnerabilities in tcpdump

Postscript Printer Vulnerabilities

Stop Disabling SELinux

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board