Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #19

March 7, 2017

Tomorrow (Wednesday, March 8) is the final day to use the early bird discount code -"EarlyBird17" - to save on any of the 39 four-to-six day courses at SANS 2017 in Orlando next month. Three completely new courses help boost productivity and effectiveness in advanced security teams: FOR572: Advanced Network Forensics and Analysis; SEC573: Automating Information Security with Python; and SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques. Many attendees bring their families down for the weekend to make their learning opportunity into a fun, family, Disney event. More at https://www.sans.org/event/sans-2017


Defense Science Board Task Force Says US Cannot Respond Effectively to Cyber Attack from Russia or China
Electric Grid Resilience Under Review
DoJ Drops Case Against Alleged Child Porn Suspect to Protect Tor Hacking Technique


Consumer Reports Will Evaluate Privacy and Data Security
Google and Microsoft Raise the Ceiling on Bug Bounty Payments
Columbia Sportswear Files Lawsuit Against Former Employee Alleging CFAA and Wiretap Act Violations
Proton RAT Targets macOS Devices
Bill Would Let Companies Under Attack Break Into Attackers' Network
US Federal Tech Position Vacancies Raise Concerns
PowerShell Remote Access Trojan
Slack Fixes Account Hijack Flaw
State Cyber Resiliency Act Introduced in US House and Senate




***************************Sponsored By Malwarebytes*******************
Cyberattacks and cybersecurity, or a lack thereof, grabbed media attention on both the corporate and consumer sides, even becoming a key issue in the US presidential election. In this respect, you could say that everyone, even those who have never logged on, was affected by cyberattacks and hacking in 2016. Check out this research paper." http://www.sans.org/info/192527


-- SANS ICS Security Summit & Training | Orlando, FL | March 20-27, 2017 | https://www.sans.org/event/ics-security-summit-2017

-- SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017

-- SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017

-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017

-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017

-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017

-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017

-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/



Defense Science Board Task Force Says US Cannot Respond Effectively to Cyber Attack from Russia or China (March 3, 2017)

According to the Final Report of the Defense Science Board Task Force on Cyber Deterrence, the US military lacks the cyber capabilities to defend against potential attacks against financial systems, telecommunications systems, and other elements of critical infrastructure launched by Russia or China. Furthermore, the US military's dependence on IT makes it vulnerable to attacks that could diminish its capabilities to respond to such attacks. The task force recommends that the Pentagon develop a second-strike capability that is cyber-resilient.

[Editor Comments]

[Murray] We need standards and metrics for survivability and resilience. 'If we cannot measure it, we cannot recognize its presence or absence," much less improve it. Standards and metrics are what we have NIST for. Perhaps this was more obvious when the name was National Bureau of Standards.

Read more in:

CyberScoop: Report: U.S. military can't guarantee retaliation against major cyber attack https://www.cyberscoop.com/defense-science-board-cyber-deterrence-task-force/?category_news=technology

Electric Grid Resilience Under Review (March 1, 2017)

Attacks against supervisory control and data acquisition (SCADA) systems are becoming increasingly sophisticated and targeted. Attacks often begin by gaining purchase within a system and conducting reconnaissance to determine the structure of the network. From there, they often move throughout the system to establish persistence and eventually control of the targeted system. It is likely that many systems have already been compromised. Data analytics and machine learning could help protect the grid from attackers by detecting intrusion attempts.

[Editor Comments]

[Paller] One of the most comprehensive and well-reported articles on the reality of cybersecurity on the electric grid.

[Murray] One may never wake a "sleeper" attack but one certainly wants the capability. Given that active attacks often take weeks to months to discover, sleeper attacks might well never be discovered If one is not diligent. The use of content control tools such as Tripwire can be useful in limiting the size of the space in which they can hide.

Read more in:

AFCEA: Girding the Grid for Cyberattacks http://www.afcea.org/content/?q=Article-girding-grid-cyber-attacks

DoJ Drops Case Against Alleged Child Porn Suspect to Protect Tor Hacking Technique (March 5 & 6, 2017)

The US Department of Justice (DOJ) has asked a federal court to dismiss its case against an alleged suspect in a child pornography case because the department does not want to reveal the "network investigative technique" it used to discover identities of people on Tor who accessed a certain dark web site. Last spring, Mozilla filed a brief in the case asking the FBI to privately reveal the flaw the technique exploits because it affects users' security. (The Tor browser uses much of the same code as Firefox.)

Read more in:

ZDNet: Justice Dept. drops Playpen child porn case to prevent release of Tor hack http://www.zdnet.com/article/justice-dept-asks-to-drop-playpen-child-porn-case-to-prevent-releasing-tor-exploit/
Ars Technica: To keep Tor hack source code secret, DOJ dismisses child porn case https://arstechnica.com/tech-policy/2017/03/doj-drops-case-against-child-porn-suspect-rather-than-disclose-fbi-hack/
BBC: Child porn case dropped to prevent FBI disclosure http://www.bbc.com/news/technology-39180204
Computerworld: U.S. drops child porn case to avoid disclosing Tor exploit http://computerworld.com/article/3176541/security/us-drops-child-porn-case-to-avoid-disclosing-tor-exploit.html
SoftPedia: DoJ Wants to Keep Tor Hack Code Used Secret, Dismisses Playpen Child Porn Case http://news.softpedia.com/news/doj-wants-to-keep-tor-hack-code-used-secret-dismisses-playpen-child-porn-case-513597.shtml
*************************** SPONSORED LINKS *****************************
1) Thinking about replacing your antivirus? Download this free proof of concept checklist for selecting a next-gen antivirus solution - Download now. http://www.sans.org/info/192532
2) Endpoint Protection...What really matters? Register now for this 5-part Webcast Series: http://www.sans.org/info/192537
3) John Pescatore discusses latest and best security hygiene and common success patterns that will best keep your organization off the Worst Breaches of 2017 lists. Register: http://www.sans.org/info/192442


Consumer Reports Will Evaluate Privacy and Data Security (March 6, 2017)

The non-profit, product-testing organization Consumer Reports (CR) will start including evaluations of products' online security and privacy features in its product reviews. CR is also part of a collective that is creating a standard to guide the development of digital products. "The goal [of the Digital Standard] is to help consumers understand which digital products do the most to protect their privacy and security, and give them the most control over their personal data."

[Editor Comments]

[Pescatore] Consumer Reports has been a strong advocate of car safety in the past and anything that gets consumers to pay more attention to the safety of software and home products is a good thing, if done well. Their draft "Digital Standard" is a good starting point - I especially like that it starts with "The product was built with effectively implemented safety features." and looks for evidence of static analysis and fuzzing of all software.

[Murray] I agree with John Pescatore. I would like for the broad standard to be 1) "does what, and only what, its label says that it does (minimum attack surface) and 2) require a label that instructs the buyer in its safe use (application and environment, e.g. whether it is intended for direct connection to public (as opposed to enterprise or SOHO) networks.) Products are never "secure," only "securable."

[Northcutt] CITL could actually move the needle. Consumer Reports is an established brand with a long history of balanced product evaluation. In one sense I sighed when I read the digital standard.org, I am new standards weary. However I encourage you to check out the web page. It is very pragmatic. I just hope they do not succumb to becoming bloatware over the next few years.

Read more in:

Consumer Reports: Consumer Reports to Begin Evaluating Products, Services for Privacy and Data Securityhttp://www.consumerreports.org/privacy/consumer-reports-to-begin-evaluating-products-services-for-privacy-and-data-security/
The Hill: Consumer Reports to test products for privacy, data securityhttp://thehill.com/policy/cybersecurity/322463-consumer-reports-to-test-products-for-privacy-data-security
CNET: Consumer Reports to factor cybersecurity into reviews https://www.cnet.com/news/consumer-reports-cybersecurity-privacy-product-reviews/
The Digital Standard: The Digital Standardhttps://www.thedigitalstandard.org/

Google and Microsoft Raise the Ceiling on Bug Bounty Payments (March 6, 2017)

Google and Microsoft have increased the maximum amount they will pay through their bug bounty programs. Google will now pay up to USD 31,337 for a remote code execution vulnerability and USD 13,337 for file system and database access bugs, up from USD 20,000 and USD 10,000, respectively. Microsoft will pay up to USD 15,000 for bugs, with certain bugs receiving up to USD 30,000 until May 1, 2017.

Read more in:

V3: Microsoft and Google boost bug bounty payouts http://www.v3.co.uk/v3-uk/news/3005873/microsoft-and-google-boost-bug-bounty-payouts
The Register: Google, Microsoft bump bug bounties http://www.theregister.co.uk/2017/03/06/google_microsoft_bump_bug_bounties/

Columbia Sportswear Files Lawsuit Against Former Employee Alleging CFAA and Wiretap Act Violations (March 6, 2017)

A former Columbia Sportswear employee allegedly accessed the company's network hundreds of times after leaving to work for Denali Advanced Integration, a tech consulting company that was one of Columbia's business partners. According to a complaint filed in a US federal court in Oregon, before Michael Leeper left the company, he allegedly created a backdoor that allowed him remote access to Columbia's network. Leeper allegedly stole sensitive corporate information by accessing the network hundreds of times over a two-year period. The stolen information was allegedly used "in furtherance of Denali's desire to profit from its business relationship with Columbia."

Read more in:

The Register: Ex penetrated us almost 700 times through secret backdoor, biz alleges http://www.theregister.co.uk/2017/03/06/columbia_sportswear_versus_denali/
RegMedia: Complaint: Columbia Sportswear Company v. 3MD Inc. dba Denali Advanced Integration and Michael Leeper (PDF) https://regmedia.co.uk/2017/03/06/columbia_sportswear_filing.pdf

Proton RAT Targets macOS Devices (March 6, 2017)

The Proton Remote Access Trojan (RAT), malware that targets macOS, is being sold on the dark web. Once Proton infects a device, attackers can gain root access privileges. Proton notifies attackers when new data are entered on the infected device. The malware evades detection by security software because it has genuine Apple code-signing signatures.

Read more in:

SC Magazine: Proton RAT malware not a positive development for Mac users https://www.scmagazine.com/proton-rat-malware-not-a-positive-development-for-mac-users/article/642132/
SoftPedia: Undetectable Mac Malware Proton for Sale on the Dark Web for 40 BTC http://news.softpedia.com/news/undetectable-mac-malware-proton-for-sale-on-the-dark-web-for-40-btc-513603.shtml

Bill Would Let Companies Under Attack Break Into Attackers' Network (March 3, 2017)

Legislation introduced in the US House of Representatives would allow companies that have been hit with cyberattacks to break into networks used by the attackers, with the caveat that they do no harm, but use the access only to stop the attack or gather information about the identity of the attackers to share with law enforcement. Such activity is currently prohibited under the Computer Fraud and Abuse Act. The Active Cyber Defense Certainty Act would not protect companies from liability if they destroy data or otherwise cause harm.

[Editor Comments]

[Murray and Neely] Bad public policy. Law should not encourage or license disorderly behavior. Amateurs engaging in such activity might corrupt evidence, alert perpetrators, or cause other damage.

[Williams] The part about not shielding you from liability is the most significant. There is often a big difference between intent and impact. Every penetration tester will also tell you that they are blamed for every outage from the time they start the engagement until they are done. Attackers rarely attack a network directly from their home network range. They are much more likely to use a compromised network of no intelligence value (a hop point). In the hacking back space, if this passes, expect to see lawsuits against organizations who "hack back" to an attacker only to find out they have targeted another victim (victimizing them again).

Read more in:

NextGov: House Bill Would Gove Companies Leeway to Hack Back http://www.nextgov.com/cybersecurity/2017/03/house-bill-would-give-companies-some-leeway-hack-back/135892/?oref=ng-channeltopstoryds

US Federal Tech Position Vacancies Raise Concerns (March 3, 2017)

The fact that the positions of federal chief information office and chief information security office have not yet been filled raises concerns about protecting and updating government IT infrastructure. Former federal CIO Tony Scott and CISO Greg Touhill were not retained by the current administration.

Read more in:

CS Monitor: White House tech vacancies may threaten cybersecurity advances http://www.csmonitor.com/World/Passcode/2017/0303/White-House-tech-vacancies-may-threaten-cybersecurity-advances

PowerShell Remote Access Trojan (March 3, 2017)

A Remote Access Trojan (RAT) dubbed DNSMessenger gets instructions through DNS. The infection starts with a malicious Word document sent through email. If readers "enable content" as they are urged to do, the maliciously constructed document launched a VBA macro to open the initial PowerShell command.

[Editor Comments]

[Neely] Once again we're reminded of the dangers of enabling active content (macros) in documents. Too often, users click the enable button when prompted. Check your PowerShell Script Execution Policy setting to make sure script execution is either blocked or only signed scripts from a trusted publisher can execute. Microsoft has a script you can use to manage the setting. TechNet article: https://technet.microsoft.com/en-us/library/ee176961.aspx and this script will let you query your current script execution policy setting: https://technet.microsoft.com/en-us/library/ee176847.aspx
Read more in:

Ars Technica: Researchers uncover PowerShell Trojan that uses DNS queries to get its orders https://arstechnica.com/security/2017/03/researchers-uncover-powershell-trojan-that-uses-dns-queries-to-get-its-orders/
ThreatPost: New Fileless Attack Using DNS Queries to Carry Out PowerShell Commands https://threatpost.com/new-fileless-attack-using-dns-queries-to-carry-out-powershell-commands/124078/
Bleeping Computer: Malware Retrieves PowerShell Scripts from DNS Records https://www.bleepingcomputer.com/news/security/malware-retrieves-powershell-scripts-from-dns-records/

Slack Fixes Account Hijack Flaw (March 2 & 3, 2017)

Slack fixed a flaw in its messaging and collaboration tool just hours after the issue was reported. The flaw could have been exploited to allow malicious websites to steal users' Slack tokens, which could be used to access accounts and messages.

Read more in:

The Register: Slack quick to whack account hijack crack http://www.theregister.co.uk/2017/03/03/slack_resolves_account_hijack_risk/
ZDNet: Slack bug granted hackers full access to accounts, messages http://www.zdnet.com/article/slack-bug-gave-hackers-full-access-to-accounts-messages/
Detectify: Hacking Slack using postMessage and WebSocket-reconnect to steal you precious token https://labs.detectify.com/2017/02/28/hacking-slack-using-postmessage-and-websocket-reconnect-to-steal-your-precious-token/

State Cyber Resiliency Act Introduced in US House and Senate (March 2, 2017)

US legislators have introduced a bill that aims to help increase state and local governments' access to cybersecurity resources. Most state and local governments generally allocate less than two percent of their budgets for cybersecurity, while half of the governments experienced at least six breaches over a two-year period. The State Cyber Resiliency Act would establish a grant program to help state and local government develop cyber resiliency plans.

Read more in:

FCW: Grant program would support state, local cybersecurity https://fcw.com/articles/2017/03/02/state-cyber-bill-rockwell.aspx

The demand for application security testing has grown steadily over the past few years with Gartner projecting a 14% average growth rate through 2020, almost twice as high as the average growth of the revenue for cybersecurity overall. Veracode was growing faster than average, more than doubling its revenue 2014-2016. CA acquired Rally Software in 2015, increasing its focus on DevOps and application development, monitoring and governance. In theory, application security testing is a good fit in that mix but in practice most successful integration of app security testing into the development front end requires a strong CISO push from the back end - getting it in use as part of QA/production readiness review and then moving upstream. For existing Veracode customers, CA does not have a strong track record when acquiring security vendors and support and product quality should be closely monitored - while Veracode's products and services have been very strong, there are several alternatives. For security programs that have been unable to get app security testing funded and implemented, if you are a CA shop, this should provide an opportunity to do so.
URL: http://www.bizjournals.com/boston/news/2017/03/06/ca-technologies-to-pay-614m-for-burlington.html


How Your Pictures Affect Your Website Reputation


De-Obfuscating Padded Code


FoxIT PDF Reader Vulnerability


Applying SHA1 Shatter Attack to Bittorent


Gargoyle Memory Scanning Evasion


Attacking Synergy Clients


Typosquatting Against Santander Bank in Brazil With Phone Call Follow-up


Post Mortem on 911 DDoS Attack


Nextcloud/Owncloud Scanner


Western Digital MyCloud Vulnerability


The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create