Online Training Special Offer - Get an iPad Mini 4, Samsung Galaxy Tab A, or $250 Off OnDemand and vLive - Ends 9/27!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #62

August 8, 2017

TOP OF THE NEWS


NIST Analyst: Our Security Guidance Was Wrong
NHS WannaCry Infection Highlights Effects of Cyberattacks on Patient Care
DoJ Vulnerability Disclosure Framework for Businesses

THE REST OF THE WEEK'S NEWS


Marcus Hutchins
Ships Reviving Radio Navigation for GPS Back-Up
.NET Deserialization Issues
Complaint Filed with FTC Alleges VPN Provider is Using Deceptive Trade Practices
Prison Sentence for Man Who Accessed Former Employer's Networks to Obtain Proprietary Information
Siemens Preparing Updates for PET/CT Scanner Vulnerabilities
Advice from DEF CON's Voting Village
BroadPwn Patched in Google's Chrome OS
NCCIC/ICS-CERT Alerts Car Makers to CAN Bus Standard Vulnerability

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Sophos Inc. *******************************

LIVE Webcast: Ransomware has become one of the most visible and damaging threats internet users face today. Thanks to ransomware-as-a-service (RaaS), anyone with ill intent and access to the dark web can build and launch an attack. Go inside the head of these hackers and how to protect your organization. Register Today >> http://www.sans.org/info/197260

***************************************************************************

TRAINING UPDATE

-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017

-- SANS Virginia Beach 2017 | August 21-September 1 | https://www.sans.org/event/virginia-beach-2017

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS OnDemand and vLive Training | Online Training Special: Get an iPad, Samsung Galaxy Tab A, or take $250 Off with OnDemand or vLive Training - ends August 16. Top-tier training without the travel. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

NIST Analyst: Our Security Guidance Was Wrong (August 7, 2017)

"Much of what I did I now regret," said Bill Burr, who in 2003 wrote a National Institute of Standards and Technology (NIST) publication that offered advice about creating strong passwords." That advice, which was widely relied upon, did little for security and "actually had a negative impact on usability." NIST has published a new version that reverses most of the old guidance including frequent changes, special characters and numbers and capitals. The new 8-page SP-800-63 advises using long passwords that are easy to remember, and changing them only if there is evidence they have been compromised. Explaining the root cause of the earlier misleading guidance, Burr explained he would have liked to have empirical evidence showing effectiveness and usability of passwords but was unable to find it.

[Editor Comments]
[Pescatore] The 2003 publication of NIST 800-63 with that bad password advice unfortunately came out right at the time that the Sarbanes Oxley bill was enabling a wave of completely useless IT audits that almost invariably focused on passwords not being changed frequently enough - even though we had lots of evidence that changing passwords unnecessarily lowered security by causing password reset discipline to go down while help desk costs went up. The new advice is much better - will take a while for auditors to change their tune, though.
[Paller] NIST's willingness to say aloud that the old guidance was not correct is emblematic of a new approach we have been seeing at NIST. An equally impressive example of the shift to evidence-based guidance is their semi-public suggestions that the Australian "Essential Eight" or the Critical Security Controls "Top 5" (the two are nearly identical) are acceptable approaches to prioritizing actions that should be taken first in implementing the NIST Security Framework. Both the Essential Eight and the Top 5 are based on empirical evidence of what mitigations block and help mitigate damage from known attacks.
[Neely] The update of NIST 800-63 adds the use of password managers, up to 64 character passwords, adding rate limiters, and the idea of only changing a password when risks warrant it - the advice in the 2003 guide was based on a document created in the 1980s. Read 800-63B Section 5.1.1.2. Don't expect applications to support a 64-character password or stop insisting on passwords based on the prior guidance until regulators/auditors have embraced the new standard, after which needed code changes can be tested and rolled out. The new standard still permits the use of an 8-character password - which aids in backwards compatibility.

Read more in:
WSJ: The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!
https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118

NHS WannaCry Infection Highlights Effects of Cyberattacks on Patient Care (June 8 & August 3, 2017)

The WannaCry ransomware attack that hit the UK's NHS computer systems in May underscores risk to patients posed by the healthcare sector's reliance on "outdated and underfunded IT systems." (The Fierce Healthcare link refers to the article in the New England Journal of Medicine, which is behind a paywall.)

Read more in:
Fierce Healthcare: NHS doctors: 'Undeniably dramatic' WannaCry attack raises the stakes for healthcare cybersecurity
http://www.fiercehealthcare.com/privacy-security/nhs-doctors-undeniably-dramatic-wannacry-attack-raises-stakes-for-healthcare
New England Journal of Medicine: Cyberattack on Britain's National Health Service - A Wake-up Call for Modern Medicine
http://www.nejm.org/doi/full/10.1056/NEJMp1706754

DoJ Vulnerability Disclosure Framework for Businesses (August 3, 2017)

The US Department of Justice (DOJ) has released a framework for businesses to help organizations establish formal vulnerability disclosure programs. The Cybersecurity Unit of the DOJ's Criminal Division developed the framework.

[Editor Comments]
[Pescatore] There is really nothing in this document that isn't in ISO 29147, which came out in 2014. Plus, the DoJ document points out that that using this approach won't carry any legal backing: "This guidance is intended as assistance, not authority. Nothing in it is intended to create any substantive or procedural rights, privileges, or benefits enforceable in any administrative, civil, or criminal matter" So, it is a nice eight page summary but pretty much useless outside of that.
[Williams] One often overlooked aspect of running a bug bounty program is the amount of noise that it creates, potentially allowing real attacks to slip through in the noise. Some additional information about considering the security monitoring aspects of bug bounty programs can be found here (https://www.renditioninfosec.com/2017/08/bug-bounty-considerations-security-monitoring/).
[Honan] It is good that there is clarity and guidance being published for this aspect of an organisation's overall application security program. However, bug bounty programs should be just a part of an organization's application security program which should also include secure coding techniques, threat modelling, source code scanning, unit testing, and vulnerability scanning.

Read more in:
Dark Reading: DoJ Launches Framework for Vulnerability Disclosure Programs
http://www.darkreading.com/vulnerabilities---threats/doj-launches-framework-for-vulnerability-disclosure-programs/d/d-id/1329514?
DOJ: A Framework for a Vulnerability Disclosure Program for Online Systems
https://www.justice.gov/criminal-ccips/page/file/983996/download

*************************** SPONSORED LINKS ********************************
1) The cost of Business Email Compromise is impacting employees, business partners and customers of organizations around the world. Register: http://www.sans.org/info/197265
2) Register to learn how to put some power into your network security so that you can effectively detect, hunt and prevent advanced threats. http://www.sans.org/info/197270
3) Join this webinar to learn about the Infoblox's unique approach to detecting and preventing data exfiltration. http://www.sans.org/info/197275
******************************************************************************

THE REST OF THE WEEK'S NEWS

Marcus Hutchins (August 3, 4, & 7, 2017)

Marcus Hutchins, the person who discovered a "kill switch" for the WannaCry ransomware attacks earlier this year, was arrested in Las Vegas last week after the Back Hat and Def Con conferences. The indictment alleges that Hutchins created the Kronos malware in 2014, and that an as-yet unnamed accomplice allegedly sold it on underground forums. The indictment does not accuse Hutchins of damage. He has pleaded not guilty to the charges in the indictment.

Read more in:
Threatpost: Marcus Hutchins' Only Certainty is Uncertainty
https://threatpost.com/marcus-hutchins-only-certainty-is-uncertainty/127270/
The Hill: Industry rallies legal defense fund for researcher accused of computer crimes
http://thehill.com/policy/cybersecurity/345583-industry-rallies-legal-defense-fund-for-researcher-accused-of-computer
NYT: He Won Praise for Halting a Global Cyberattack. Then He Was Arrested.
https://www.nytimes.com/2017/08/03/technology/cybersecurity-researcher-hailed-as-hero-is-accused-of-creating-malware.html
The Register: WannaCry-killer Marcus Hutchins pleads not guilty to malware claims
https://www.theregister.co.uk/2017/08/04/marcus_hutchins_wannacry_kronos_court_bail/
DOJ: Hutchins Indictment
https://www.justice.gov/opa/press-release/file/986606/download

Ships Reviving Radio Navigation for GPS Back-Up (August 7, 2017)

Increasing concerns about the reliability of GPS satellite-based navigation systems for ships is prompting some countries to develop radio-based back-up navigation systems. GPS satellite signals can be jammed or spoofed, and are susceptible to interference from solar weather as well as from deliberate attacks.

[Editor Comments]
[Pescatore] Denial of service and ransomware attacks, as well as natural disasters, continue to point out the need for backup capabilities. Just as important as the backup system are the skills people need to periodically test and use the backup systems. Business users dependent on apps that tell them where to turn should still know how to use an actual navigation and maybe even (eek) read a map. (In full disclosure, I'm a ham radio operator and am quite prepared to use Morse Code over HF radio as my Internet backup...) [Northcutt] The Naval Academy went so far as to reinstitute training in celestial navigation. Keep in mind the "founder" of GPS supports the use of e-Loran, blind faith in the easily jammable GPS is not wise. I wonder if any motorists still have paper maps? http://www.npr.org/2016/02/22/467210492/u-s-navy-brings-back-navigation-by-the-stars-for-officers

Read more in:
Ars Technica: Radio navigation set to make global return as GPS backup, because cyber
https://arstechnica.com/gadgets/2017/08/radio-navigation-set-to-make-global-return-as-gps-backup-because-cyber/
Reuters: Cyber threats prompt return of radio for ship navigation
http://www.reuters.com/article/us-shipping-gps-cyber-idUSKBN1AN0HT

.NET Deserialization Issues (August 7, 2017)

A flaw in the way .NET coding libraries handle deserialization operations could be exploited to execute code. A similar issue was found to affect Java apps last year.

[Editor Comments]
[Williams] The core problem here is that many .Net applications are internally- or contractor-developed and never updated. Because they rely on custom code, automated vulnerability scanners are unlikely to discover this vulnerability within these .Net applications.

Read more in:
Bleeping Computer: Severe Deserialization Issues Also Affect .NET, Not Just Java
https://www.bleepingcomputer.com/news/security/severe-deserialization-issues-also-affect-net-not-just-java/
Black Hat: Friday the 13th JSON Attacks
https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf

Complaint Filed with FTC Alleges VPN Provider is Using Deceptive Trade Practices (August 7, 2017)

The Center for Democracy and Technology (CDT) has filed a complaint with the US Federal Trade Commission (FTC), asking the FTC "to investigate the data security and data sharing practices of [VPN provider] Hotspot Shield." The complaint alleges that while Hotspot Shield claims to provide anonymous browsing, the company actually intercepts and redirects web traffic.

Read more in:
Ars Technica: FTC must scrutinize Hotspot Shield over alleged traffic interception, group says
https://arstechnica.com/tech-policy/2017/08/ftc-must-scrutinize-hotspot-shield-over-alleged-traffic-interception-group-says/
ZDNet: Privacy group accuses Hotspot Shield of snooping on web traffic
http://www.zdnet.com/article/privacy-group-accuses-hotspot-shield-of-snooping-on-web-traffic/
CDT: Complaint, Request for Investigation, Injunction, and Other Relief (PDF)
https://cdt.org/files/2017/08/FTC-CDT-VPN-complaint-8-7-17.pdf

Prison Sentence for Man Who Accessed Former Employer's Networks to Obtain Proprietary Information (August 7, 2017)

Jason Needham has been sentenced to 18 months in prison for accessing his form employer's computer network and stealing proprietary information. He has also been ordered to pay more than 170,000 USD in restitution to his former employer, Allen & Hoshall.

[Editor Comments]
[Pescatore] Unauthorized access (to computer systems as well as houses, cars, etc.) is illegal and violators should be prosecuted. However, all too often when employees leave or change positions, their access rights remain - often for years. Leaving the keys in the ignition enables the thief - he may get caught and sent to jail, but your car is still gone. Check those process connections between HR actions and user account and privilege management.
[Williams] He continued to access systems even after passwords were changed. Multifactor authentication could have limited the damage in this case.

Read more in:
Dark Reading: Man Who Hacked his Former Employer Gets 18-Month Prison Sentence
http://www.darkreading.com/threat-intelligence/man-who-hacked-his-former-employer-gets-18-month-prison-sentence/d/d-id/1329574?
DOJ: Tennessee Man Sentenced for Unauthorized Access of Former Employer's Networks
https://www.justice.gov/opa/pr/tennessee-man-sentenced-unauthorized-access-former-employers-networks

Siemens Preparing Updates for PET/CT Scanner Vulnerabilities (August 4 & 7, 2017)

Vulnerabilities in network-connected Siemens medical scanning devices could be exploited to execute malicious code. The flaws affect Siemens's positron emission tomography and computerized tomography (PET/CT) scanners running on Windows 7. Siemens is developing fixes for the four vulnerabilities. The patches are expected to be available by the end of August. The US Department of Homeland Security's Industrial Control Systems CERT (ICS-CERT) has issued an advisory.

Read more in:
Reuters: Siemens to update medical scanner software to deal with security bugs
http://www.reuters.com/article/us-siemens-healthcare-cyber-idUSKBN1AN1XB
The Register: Forget sexy zero-days. Siemens medical scanners can be pwned by two-year-old-days
http://www.theregister.co.uk/2017/08/04/win7_brain_scanners_hacked/
ICS-CERT: Siemens Molecular Imaging Vulnerabilities
https://ics-cert.us-cert.gov/advisories/ICSMA-17-215-02
Siemens: Microsoft Web Server and HP Client Automation Vulnerabilities in Molecular Imaging Products from Siemens Healthineers (PDF)
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-822184.pdf

Advice from DEF CON's Voting Village (August 6, 2017)

Def Con attendees were given the opportunity to hack decommissioned electronic voting machines. They found numerous security holes, particularly in systems that do not pr0vide paper trails. Municipalities and states would be well-advised to start addressing voting security issues as soon as possible. Recommendations include retiring outdated machines; securing voter registration systems and databases; requiring the use of risk-limiting audits where electronic voting machines are used; changing rules for voting systems' procurement and maintenance; and training election officials in the use of cryptographic keys.

Read more in:
Wired: Voting Machine Hackers Have 5 Tips to Save the Next Election
https://www.wired.com/story/voting-machine-hackers-5-tips/

BroadPwn Patched in Google's Chrome OS (August 4, 2017)

Google has updated its Chrome operating system to fix a security issue that could be exploited to take control of vulnerable devices. The BroadPwn bug, which affects Broadcom Wi-Fi chipsets, has been fixed in Chrome OS 60.0.3112.80. Google has already released a BroadPwn fix for Android products.

Read more in:
SC Magazine: Google patches BroadPwn bug in Chrome OS
https://www.scmagazine.com/google-patches-broadpwn-bug-in-chrome-os/article/679888/

NCCIC/ICS-CERT Alerts Car Makers to CAN Bus Standard Vulnerability (August 3, 2017)

The US Department of Homeland Security's (DHS's) National Cybersecurity and Communications Integration Center and Industrial Control Systems Cyber Emergency Response Team (NCCIC/ICS-CERT) has issued an alert to automobile manufacturers, recommending that they review research describing vulnerabilities in vehicle control modules. Specifically, the alert notes that "NCCIC/ICS-CERT is aware of a public report of a vulnerability in the Controller Area Network (CAN) Bus standard," and that proof-of-concept exploit code exists.

Read more in:
FCW: DHS, vendor warn on automotive cyber flaws
https://fcw.com/articles/2017/08/03/auto-cyber-cert-rockwell.aspx
ICS-CERT: CAN Bus Standard Vulnerability
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-209-01

INTERNET STORM CENTER TECH CORNER

Opengraph Used to Obfuscate Facebook Links

https://isc.sans.edu/forums/diary/Use+of+the+Open+Graph+Protocol+to+Disguise+Malicious+Facebook+Links/22684/

Cerber Adding Bitcoin and Password Stealer to Crypto Ransomware

http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-ransomware-evolves-now-steals-bitcoin-wallets/

Symantec Selling Certificate Business To Digicert

https://www.heise.de/security/meldung/Nachspiel-einer-fatalen-Panne-Symantec-verkauft-Zertifikatssparte-an-DigiCert-3793482.html

Siemens Medical Imaging Systems Vulnerable to Old Windows Flaws

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-822184.pdf

PHPMyAdmin Scans

https://isc.sans.edu/forums/diary/Increase+of+phpMyAdmin+scans/22688/

Hotspot Shield Leakes Private User Data

https://cdt.org/files/2017/08/FTC-CDT-VPN-complaint-8-7-17.pdf

Debian Turning Off Support for TLS 1.0/1.1

https://lists.debian.org/debian-devel-announce/2017/08/msg00004.html

Ongoing Phishing Attacks Against Google Chrome Plugin Developers

https://www.bleepingcomputer.com/news/security/chrome-extension-developers-under-a-barrage-of-phishing-attacks/


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create