DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #11

February 7, 2017

PESCATORE: Final call to nominate products for the SANS "Best Of" awards for the products and services that made a difference for you in the past year - and a chance to win an iPad! Information and instructions on how to participate in the SANS "Best of 2016" survey are at https://www.surveymonkey.com/r/SANSBestof2016


Proof-of-Concept Exploit for Windows SMB Memory Corruption Vulnerability
Vulnerabilities in Honeywell ICS Software
GSA to Launch Bug Bounty Program


House Passes Bill Requiring Warrant to Access Digital Data
Polish Banks Infected With Malware Through Country's Financial Regulator
Google eMail Surrender Order
InterContinental Hotel Group Acknowledges Breach
Guilty Plea in Online Banking Theft
Australian Signals Directorate Updates Threat Mitigation Strategy From Top Four to Essential Eight
Two Arrested in UK Over DC Surveillance Camera Hack
Secret Service Cell Phone Forensics Facility
House Judiciary Committee Priorities



*************************** Sponsored By Malwarebytes ******************* Party with Malwarebytes at RSA Conference 2017! Visit us in Booth #2319 in the South Hall to get the latest on advanced-threat detection and incident response. And don't miss the Malwarebytes Crush Party. Mingle with your security peers at the SFMOMA on Tuesday, February 14. RSVP Today: http://www.sans.org/info/191917 ***************************************************************************


--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017

--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017

--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017

--SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017

--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/



Proof-of-Concept Exploit for Windows SMB Memory Corruption Vulnerability (February 2, 3 & 4)

A proof-of-concept exploit for a vulnerability in all currently supported versions of Windows was released last week. The memory corruption flaw lies in the way Windows handles Server Message Block (SMB) traffic. The flaw could be remotely exploited to cause denial-of-service conditions. There is currently no fix available.

[Editor Comments ]

[Ullrich ]
To exploit this, a client needs to connect to a malicious SMB server. An attacker may easily trigger such a connection with an IMG tag in an HTML page delivered to the client. It is critical, not just due to this exploit, that outbound SMB connection are blocked from your network. Many networks block only inbound connections.

[Williams ]
Just because you don't have SMB exposed to the Internet from the perimeter, don't ignore this vulnerability; it is still a big deal. Unlike many previous SMB vulnerabilities, this one can be exploited simply by connecting outbound to a host listening on SMB. This means you need to block TCP port 139 and 445 OUTBOUND at the firewall to be truly secure (this is a good idea for a whole host of reasons). I've looked at the crash for this vulnerability and I don't think it is likely to be weaponized into a remote code execution exploit thanks to the use of high entropy ASLR. That being said, this bug highlights an SDLC failure in that it is a trivial bounds check issue that should have been easily discovered during security testing.

Read more in:

DarkReading: Windows SMB Zero-Day Exploit On The Loose

V3: Windows SMB zero-day exploit published after Microsoft fails to fix issue

The Register: New SMB bug: How to crash Windows system with a 'link of death'

Computerworld: Microsoft likely to fix Windows SMB denial-of-service flaw on Patch Tuesday

CERT: Microsoft Windows SMB Tree Connect Response denial of service vulnerability

Vulnerabilities in Honeywell ICS Software (February 3 & 6, 2017)

The U.S. Department of Homeland Security's (DHS's) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an advisory about vulnerabilities in Honeywell XL II Web Controller software. The flaws are plaintext storage of a password; insufficiently protected credentials; session fixation; improper privilege management; and path traversal. The flaws could be exploited remotely. Honeywell has released an update to address the vulnerabilities.

[Editor Comments ]

[Assante ]
The ill-advised combination of a clear text/accessible password and session weakness in a newer web controller demonstrates the prevailing view of cyber security in building automation. This product is designed for flexibility and low cost, resulting in Honeywell warning customers that operating the controller on IP networks requires a VPN or other protection from the 'open Internet'.

[Murray ]
This is the second case in as many weeks where we have seen this kind of vulnerability. Is it possible that vendors selling infrastructure products do not even know that these vulnerabilities are designed into their products?

Read more in:

Threatpost: Honeywell SCADA Controllers Exposed Passwords in Clear Text

CyberScoop: DHS warns of vulnerabilities in popular, outdated ICS software

ISC-CERT: Honeywell XL Web II Controller Vulnerabilities

GSA to Launch Bug Bounty Program (February 6, 2017)

The U.S. government's General Services Administration's (GSA's) Technology Transformation Service (TTS) plans to establish a bug bounty program. According to the draft solicitation, TTS is seeking to use an existing bug bounty platform that will allow "TTS access to a large network of security researchers, people who have an interest ... in helping to find and address bugs and other technical issues within TTS-owned web applications."

[Editor Comments ]

[Pescatore ]
Well managed bug bounty programs have been very successful, in both effectiveness and efficiency - as measured both in finding vulnerabilities and in getting them eliminated or mitigated, which is the most important part. The GSA solicitation includes emphasis on "well managed," which is critical!

Read more in:

Federal News Radio: GSA to join DoD in hiring ethical hackers to find cyber vulnerabilities

GitHub: Performance Work Statement: TTS Bug Bounty

*************************** SPONSORED LINKS ********************************

1) To do @ RSAC: Meet the company rewriting the book on Privileged Account Management. http://www.sans.org/info/191922

2) Don't Miss: "The Cost and Consequences of Security Complexity: New Ponemon Institute Research Identifies 8 Best Practices." Register: http://www.sans.org/info/191927

3) Don't think commodity malware can evolve into a sophisticated attack? Think again! Sign up for our upcoming webcast: http://www.sans.org/info/191932



House Passes Bill Requiring Warrant to Access Digital Data (February 6, 2017)

The U.S. House of Representatives has unanimously passed a bill requiring law enforcement to obtain a warrant before accessing digital data. The Email Privacy Act addresses a loophole left by 1986's Electronic Communications Privacy Act (ECPA) that allowed law enforcement to obtain digitally stored data on a third-party server that are more than 180 days old, because in pre-Internet days, data left on third-party servers for six months were considered to have been abandoned. The legislation must now pass in the Senate.

Read more in:

The Hill: House passes bill requiring warrants for digital data

Wired: Passing the eMail Privacy Act Has Never Been More Urgent

Google eMail Surrender Order (February 6, 2017)

A federal judge in Pennsylvania has ordered Google to turn over to the FBI emails stored on a server in foreign country. The case concerns domestic theft of trade secrets. The ruling lies in stark contrast to a similar case involving Microsoft, in which the software company prevailed.

[Editor Comments ]

[Williams ]
The critical difference in this case is likely the certainty with which Microsoft could say the data requested was located outside of the US, which is not present in the Google case. Business looking to challenge similar subpoenas for data in the future should ensure that they have nailed down data location and can prove to the courts that the data is overseas without the possibility that some of it has load-balanced its way into a US datacenter.

[Murray ]
One test that the Supreme Court uses for granting "cert" is disagreement among lower courts.

Read more in:

ZDNet: Google ordered to hand over foreign emails to FBI, unlike Microsoft

Computerworld: Court orders Google to produce emails stored abroad

Computerworld: Why Google was told to hand over email stored overseas to the FBI

The Hill: US court orders Google to hand over data on foreign servers

House Judiciary Committee Priorities (February 1, 2017)

Last week, U.S. House Judiciary Committee Chairman Representative Bob Goodlatte (R-Virginia) listed the committee's priorities for this Congress. Noting "It's clear that more security, not less, is needed to make sure that people and businesses are protected," Goodlatte said the committee will use a joint report from the Judiciary and Energy and Commerce Committees issued in December as its starting point regarding encryption. The report strongly urges that encryption not be weakened to aid law enforcement investigations. Other priorities include updating the 1986 Electronic Communications Privacy Act (ECPA) to require warrants for law enforcement access to all email; "explor
[ing ]
solutions to govern law enforcement's access to data stored overseas"; and renewing Section 702 of the Foreign Intelligence Surveillance Act.

[Editor Comments ]

[Pescatore ]
The House Committee's Encryption Working Group was very forceful in emphasizing a well-proven fact: "Encryption is inexorably tied to our national interests. It is a safeguard for our personal secrets and economic prosperity. It helps to prevent crime and protect national security." However, every incoming administration gets "The Briefing" that details incidents where child pornographers, terrorists etc. used encryption to evade monitoring, which tends to cause the old debates to be repeated.

Read more in:

NextGov: Undermining Encryption Not An Option, House Judiciary Chair Pledges

Polish Banks Infected With Malware Through Country's Financial Regulator (February 6, 2017)

The Polish Financial Supervision Authority (KNF) has taken down its systems to "secure evidence" in an investigation into malware that KNF's systems appear to have been serving to Polish banks. The banks discovered the malware after they noticed unusual network traffic patterns.

Read more in:

The Register: Polish banks hit by malware sent through hacked financial regulator

Softpedia: Polish Banks Hacked via Malware Coming from Financial Regulator

InterContinental Hotel Group Acknowledges Breach (February 3 & 6, 2017)

InterContinental Hotels Group (IHG) has acknowledged a payment card breach, first reported by KrebsOnSecurity in late December, 2016. The breach affects at least 12 properties in the U.S. In a statement, IGH said it found malware on point-of-sale servers at the 12 properties between August and December 2016. The attackers stole data stored on payment cards' magnetic strips, which incudes card numbers and verification codes.

[Editor Comments ]

[Murray ]
PCI DSS discourages the storing of verification codes. Having done so might well increase their liability to the banks, if not to consumers.

Read more in:

KrebsOnSecurity: InterContinental Confirms Breach as 12 Hotels

Reuters: InterContinental confirms payment card breach at 12 U.S. hotels

Dark Reading: InterContinental Confirms Security Breach At 12 US Hotels

PRNewsWire: IHG Notifies Guests of Payment Card Incident at 12 Properties in the Americas

Guilty Plea in Online Banking Theft (February 3 & 6, 2017)

Vyacheslav Khaimov pleaded guilty last week to operating an unlicensed money transmitting business, for his role in an international operation that stole money from online bank accounts. The scheme used malware to steal online banking account access credentials and drain the accounts of funds. Khaimov is believed to have stolen at least USD 230,000; the crime ring he was part of stole a total of at least USD 1.2 million.

Read more in:

The Register: Web banking malware slurps $1.2m for crooks, now kingpin 'fesses up

CyberScoop: "Samuel Gold" admits to hacking U.S. banks as part of cybercrime ring

Justice Dept.: Brooklyn Man Pleads Guilty In Connection With International Cybercrime Spree

Australian Signals Directorate Updates Threat Mitigation Strategy From Top Four to Essential Eight (February 5, 2017)

The Australian Signals Directorate's (ASD) Top Four cyber threat mitigation strategies are now the Essential Eight. The four new strategies address "ransomware and external adversaries with destructive intent, malicious insiders, 'business email compromise,' and industrial control systems." The new strategies are: disable untrusted Microsoft Office Macros; block browser access to web advertisements, untrusted Java code, and Adobe Flash, uninstalling Flash if possible; use multi-factor authentication; and back up important data daily and store them securely.

[Editor Comments ]

[Williams ]
I've long been a fan of the DSD's Top Four since they offer quick, actionable steps to measurably improve cyber security. Organizations looking to maximize impact for their security dollars spent should look to the DSD Top Eight for guidance.

[Pescatore ]
Good to see multi-factor authentication listed by the ASD as essential, as well as re-emphasizing limiting admin privileges. The vast majority of damaging attacks are enabled by phishing and other password stealing attacks - hardening user authentication raises the bar in a very necessary way. User resistance used to be the obstacle but survey shows on the order of 25% of users already use some form of strong authentication on personal accounts - users and upper level management are less of an impediment today than security program inertia.

Read more in:

ZDNet: Block adverts, delete Flash, kill Java: ASD

ASD: Strategies to Mitigate Cyber Security Incidents

Two Arrested in UK Over DC Surveillance Camera Hack (February 3, 2017)

Authorities in Britain have arrested two people who are believed to have been involved in an attack that disabled, for three days last month, surveillance camera recorders used by police in Washington D.C. Approximately two-thirds of the 187 cameras were affected.

Read more in:

The Hill: UK arrests 2 suspected in DC police camera hacking

Secret Service Cell Phone Forensics Facility (February 2, 2017)

The U.S. Secret Service Cell Phone Forensics Facility helps law enforcement agencies that do not have adequate tools and skills to retrieve evidence from electronic devices. Two full-time agents, helped by students and faculty from the University of Tulsa (Oklahoma) Cyber Corps Program. The facility examines phones only after authorities have received a warrant from a judge.

Read more in:

CSMonitor: Hunting for evidence, Secret Service unlocks phone data with force or finesse


Base64 Encoded Malware Samples on Pastebin

Cisco Recaling Meraki Access Points over Fatal Hardware Flaw

SQL Injection Vulnerability in McAfee e Policy Orchestrator

Update from Microsoft on SMB 3 Vulnerability

Malicious Files Sent via Whatsapp to Target Indian Military

Malicious or Not? Help Me Decide

OpenBSD Http Server DoS Vulnerability

Bypassing Tor Browser Via Windows DRM

Freedom Hosting II Compromise

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board