OnDemand SME Support = Get Your Questions Answered! Get an iPad mini, Surface Go 2, of $300 Off Now

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #3

January 10, 2017


DOE Report: Power Grid in 'Imminent Danger' of Cyber Attack
States Making Lists of Breached Companies Public
St. Jude Releases Heart Implant Security Update


libvncserver Security Update
TruffleHog Helps Find Hard-Coded Access Keys in Software
Declassified Report Says Putin Ordered Propaganda Campaign to Sway U.S. Election
Feds Drop Case Against Alleged Sex Offender Rather than Reveal Tor Investigation Techniques
Guilty Plea in eMail Breach Case
DHS: U.S. Election Systems are Critical Infrastructure



*************************** Sponsored By Splunk ******************************

Looking for some specific ways to get started using Splunk? We can help. We have a step-by-step online experience to walk you through how to use login activity and Splunk to detect, validate and scope threats in your environment.

Learn more here: http://www.sans.org/info/191292



--SANS Brussels Winter 2017 | Brussels, Belgium | Jan 16-21, 2017 | https://www.sans.org/event/brussels-winter-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | Las Vegas, NV | January 23-30, 2017 | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | Anaheim, CA |February 6-11, 2017 | https://www.sans.org/event/anaheim-2017

--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017

--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017

--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017

--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/



DOE Report: Power Grid in 'Imminent Danger' of Cyber Attack (January 6, 2017)

According to a report from the U.S. Department of Energy (DOE), cyber attacks pose an "imminent threat" to the country's power grid. The report says that attacks are becoming increasingly sophisticated and more frequent. Grid operators have adopted security measures to mitigate the risks of attacks.

Read more in:

U.S. Dept. of Energy: Quadrennial Energy Review Second Installment

The Hill: Energy Dept. report highlights new threats to electric grid

Bloomberg: U.S. Grid in 'Imminent Danger' From Cyber-Attack, Study Says

States Making Lists of Breached Companies Public (January 6, 2017)

All but three U.S. states require organizations that experience security breaches affecting their residents to report those breaches. While this information is available if people know to ask for it, four states - California, Indiana, Washington, and Massachusetts - have begun making the information publicly and freely available.

Read more in:

Wired: A Few States Now Actually Help You Figure Out if You've Been Hacked

Declassified Report Says Putin Ordered Propaganda Campaign to Sway U.S. Election (January 6, 2017)

According to a report from the Office of the Director of National Security, Russian President Vladimir Putin directed ordered a propaganda campaign to interfere in November's U.S. presidential election. The declassified report is an edited version of the longer, classified report that provided details about the methods used in the campaign.

Read more in:

Wired: Fed's Damning Report on Russian Election Hack Won't Convince Skeptics

SC Magazine: Declassified intelligence report says Putin, Russia meddled in U.S. presidential election

Computerworld: U.S. says Putin ordered election cyber-meddling to favor Trump

KrebsOnSecurity: DNI: Putin Led Cyber, Propaganda Effort to Elect Trump, Denigrate Clinton

Federal News Radio: US report: Putin ordered effort to help Trump, hurt Clinton

St. Jude Releases Heart Implant Security Update (January 9, 2017)

The U.S. Food and Drug Administration (FDA) says that security issues in St. Jude Medical cardiac implant devices could be exploited to run down the battery or alter the device's rhythms. Abbott Laboratories, which recently acquired St. Jude, has released an update to fix the flaws. It will be automatically pushed out to affected devices.

[Editor Comments ]

[Jake Williams ]
This release is significant because St. Jude originally denied and downplayed the vulnerabilities released by MedSec and Muddy Waters. This is a validation that at least some of those vulnerabilities were real (and significant enough to warrant an FDA warning). Expect more security researchers to cash in on vulnerabilities by shorting the stock of public companies.

Read more in:

Reuters: St. Jude releases cyber updates for heart devices after U.S. probe

CNN: FDA confirms that St. Jude's cardiac devices can be hacked

*************************** SPONSORED LINKS ********************************

1) Don't Miss: "Hunting with Cyber Deception and Incident Response Automation" Register: http://www.sans.org/info/191297

2) Webcast: Next generation analysts for next generation threats - lessons from deploying best practices to hundreds of SOC teams! Register: http://www.sans.org/info/191302

3) Looking for a solution to your security issue? Visit the SANS Affiliate Directory for a list of vendors who may be able to help! http://www.sans.org/info/191307



libvncserver Security Update (January 5 & 9, 2017)

Debian has released a security update to address a flaw in the libvncserver libraries that "incorrectly processed incoming network packets." The heap-based buffer overflow issue could be exploited to create denial of service (DoS) conditions or execute arbitrary code.

[Editor Comments ]

[Jake Williams ]
If you are running VNC in your network, this is a "patch now" event. In general, we recommend that clients not expose remote access services such as VNC and RDP directly to the Internet, preferring VPN or SSH tunneling instead. Having looked at the vulnerability, I think the probability for a remote code execution PoC in the coming weeks is high.

Read more in:

The Register: VNC server library gets security fix

Debian: Security Advisory: libvncserver - security update

TruffleHog Helps Find Hard-Coded Access Keys in Software (January 9, 2017)

A new tool known as TruffleHog searches git repositories to find hard-coded access keys. The tool has been made public. Hard-coding keys in software projects poses security risks. TruffleHog detects high entropy strings that are larger than 20 characters.

Read more in:

ZDNet: GitHub secret key finder released to public

Computerworld: This tool can help weed out hard-coded keys from software projects

SC Magazine UK: Secret key-finding tool launched

The Register: Hacker publishes GitHub secret key hunter

GitHub: TruffleHog

Feds Drop Case Against Alleged Sex Offender Rather than Reveal Tor Investigation Techniques (January 6 & 9, 2017)

The FBI has dropped a case against an alleged sex offender rather than reveal information about the methods used to obtain evidence against him. Authorities arrested a Washington state middle school teacher for allegedly accessing a website through the Tor network known to host child abuse material (pornography). Federal investigators were surreptitiously operating the site at the time, using a tool that revealed Tor users' IP addresses. A judge ordered the FBI to disclose the source code for the tool it used to identify the suspect but instead, the FBI has dropped its appeal.

[Editor Comments ]

[Jake Williams ]
Legal precedent aside, the DoJ is sending a message by dropping the case. This may simply be a bureaucratic maneuver where DoJ doesn't have the code to release and FBI won't supply it (or it may not be the FBI's in the first place). More likely it sends the message that the technique is still actively being used in the field. This seems to refute the earlier speculation that the now patched Firefox vulnerability CVE-2016-9079 (
was the vulnerability used by the FBI. This might indicate that the NIT uses more than one vulnerability, or that enough investigation targets are using an unpatched browser to justify keeping the vulnerability a secret.

[William Hugh Murray ]
Since it is prosecutors, not the FBI, that "drops" cases, one infers that this is DoJ policy. One inferred after the Stingray debacle that the people and their representatives did not want law enforcement to hide investigative tools from the courts. One presumes that they hide to avoid the Fourth Amendment requirement for a warrant. Since warrants are routine, one might infer that it is the supervision and limitations that they seek to avoid. Finally, this case might raise the question of whether or not we want law enforcement to operate "honey pots," whether such operation raises the question of entrapment.

Read more in:

The Register: FBI let alleged pedophile walk free rather than explain how they snared him

Ars Technica: Feds may let Playpen child porn suspect go to keep concealing their source code

Guilty Plea in eMail Breach Case (January 6 & 9, 2017)

Justin Liverman has pleaded guilty to conspiracy to commit unauthorized computer intrusions, identity theft, and telephone harassment for his role in breaking into email accounts belonging to senior U.S. government officials, including CIA director John Brennan's AOL email account. The stolen email messages were published on WikiLeaks. Four other individuals in the U.S. and the U.K. have been arrested in connection with the breach. Liverman faces up to five years in prison.

Read more in:

The Register: CIA director AOL email hacker coughs to crime

Ars Technica: How hackers made life hell for a CIA boss and other top US officials

U.S. Dept. of Justice: North Carolina Man Pleads Guilty To Hacking Conspiracy That Targeted Senior U.S. Government Officials

DHS: U.S. Election Systems are Critical Infrastructure (January 6 & 9, 2017)

The US Department of Homeland Security (DHS) has designated the U.S. election system as a subsector of the Government Facilities critical infrastructure sector. While state and local election officials have expressed concern about the change, according to a statement from DHS Secretary Jeh Johnson, the new designation does not mean that the government is taking over election systems but instead that it is prioritizing the systems to receive cybersecurity assistance.

[Editor Comments ]

[William Hugh Murray ]
Even if one grants that election systems are infrastructure, cyber security is not the problem. This may be the infrastructure that remains the least dependent upon computers attached to the public networks.

[Gal Shpantzer ]
Note that the campaigns and the parties (DNC/RNC/etc) are not in scope to this designation. So if the Podesta and DNC hack were to happen in 2020, this designation would not apply any further resources to the 2016 targets.

Read more in:

Washington Post: US designates election infrastructure as 'critical'

Dark Reading: DHS Designates Election Systems As Critical Infrastructure

SC Magazine: DHS designated election systems as critical infrastructure, under 'Government Facilities' category

U.S. Dept. of Homeland Security: Statement by Secretary Jeh Johnson on the designation of Election Infrastructure as a Critical Infrastructure Subsector


Careful With Security Tools That Submit Files to Virustotal

Vulnerable Security Tools Can Be Used Against You

Elaborate Ransomware Attacks

E-Mail and iTunes Popup Extortion

Damn Vulnerable Web Sockets (DVWS) Demonstrates WebSocket Vulnerabilities

St. Jude Medical Patches Vulnerable Cardiac Devices

Cracking Hashes of Passwords 12 Characters and Longer

VNC Library Update

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board