Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #79

October 6, 2017


Former Equifax CEO Points Finger at Single Employee for Failure to Update Software
All Three Billion Yahoo Accounts Hacked in 2013
Kaspersky Disputes Allegations that Russian Hackers Stole NSA Files by Using Kaspersky AV
Russia is Allegedly Compromising NATO Troops' Personal Phones


White House Asks Agencies for Ideas to Replace Social Security Numbers
SEC Security Team Says It Lacked Adequate Funding; IG Says Agency Did Not Obey Management Controls
US Consumer Financial Protection Bureau IG Report
Brazilian Banking Trojan Uses Legitimate VMware Binary
Courts in Spain, Greece, and Latvia Grant US Requests for Extradition of Alleged Russian Cyber Criminals
Information from the Equifax Congressional Hearing
Updates Available to Fix Flaw in WordPress Plugins
IETF Releases New BGP Path Validation Draft Standard


*************************** Sponsored By Syncurity *******************************

In case you missed it: "Shrinking Attack Dwell Times - A Phishing Case Study Demo." See how the attack dwell time can be compressed using a Security Automation & Orchestration platform that leverages the existing security stack and SOC tribal knowledge. http://www.sans.org/info/198665



-- SANS Cyber Defense Initiative ® 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 | https://www.sans.org/event/pen-test-hackfest-2017

-- SANS Sydney 2017 | November 13-25 | https://www.sans.org/event/sydney-2017

-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017

-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017

-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017

-- SANS OnDemand and vLive Training | SANS Online Training - Get an iPad, a Samsung Galaxy Tab A or take $250 Off with OnDemand or vLive training through October 11. The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all



--Former Equifax CEO Points Finger at Single Employee for Failure to Update Software
(October 3 & 4, 2017)

Earlier this week, former Equifax CEO Richard Smith told US legislators that the breach was caused by an employee who failed to apply appropriate software security updates and faulty scanner that missed the vulnerability a week after the updates should have been installed. The unnamed employee who failed to apply the updates resigned just weeks after the massive data breach was disclosed.

[Editor Comments]
[Assante and several other editors] Sorry, it is not as simple as someone made a mistake. All security programs are built around the concept that people make mistakes (it is the most prolific source of vulnerability) and technology management practices should account for that premise by requiring verification and overlapping controls. The CEO should try saying it this way: "At Equifax we put our Crown Jewels - all that PII in the hands of one person to safeguard 24x7, 365." That does not play so well.
[Pescatore] The fact that it took so long to notice the compromise or to notice a scanner was "faulty" was a failure by many.
[Neely] Weekly scanning and monthly patching is not unusual any longer. Where regulatory requirements don't dictate an interval, review the risks and implement a schedule, and validate it. The fewer schedules you have, the more consistency you'll achieve.
Read more in:
The Register: Sole Equifax security worker at fault for failed patch, says former CEO
CNET: Equifax ex-CEO blames breach on one person and a bad scanner
The Hill: Former Equifax CEO: Employee responsible for patching software has stepped down

--All Three Billion Yahoo Accounts Hacked in 2013
(October 3, 2017)

Yahoo now says that the massive breach in 2013 compromised virtually all three billion Yahoo accounts. Yahoo initially said that the breach affected one billion accounts. Last fall, Yahoo disclosed a second breach, which occurred in 2014 and affected 500 million accounts.
[Editor Comments]
[Williams] The key here is that the number has changed from "some accounts" to "all accounts." The damage done to Yahoo's reputation by misreporting the original number of accounts (and leaving many users vulnerable in the interim) may be worse than for the hack itself.
[Neely] Don't wait for the next breach to find out if your credentials have been compromised. Now would be an excellent time to make sure that you're not reusing passwords across multiple services, implementing longer pass phrases, turning on multi-factor authentication for services that support it and implementing a password manager. Ask yourself: is it time retire some passwords that are "old friends?" Try some new tricks like putting a space at the end of your password, which may be missed in the output of a password cracker as Ed Skoudis suggests.
Read more in:
Wired: So, Uh, That Billion-Account Yahoo Breach Was Actually 3 Billion
Ars Technica: Every Yahoo account that existed-all 3 billion-was compromised in 2013 hack

--Kaspersky Disputes Allegations that Russian Hackers Stole NSA Files by Using Kaspersky AV
(October 5, 2017)

According to a report in the Wall Street Journal, hackers working on behalf of the Russian government managed to steal information about the methods the US uses to gain access to foreign computer network and to defend its own networks from attacks. The report says that the attackers were able to access the information when a National Security Agency (NSA) contractor put the classified data on his home computer. Sources say that the attackers were able to identify the documents by exploiting Kaspersky antivirus software. An NSA spokesperson noted that the agency does not have an antivirus software contract with Kaspersky. In an emailed statement, Kaspersky wrote, "Kaspersky Lab has not been provided any evidence substantiating the company's involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company." (Please note that the Wall Street Journal story is behind a paywall.)
[Editor Comments]
[Pescatore]There has been no evidence that Kaspersky's software contains any hidden malicious capabilities. I'd have to change my tune if details come out in this incident that do provide that evidence. However, if the contractor's PC was compromised and was under control of the attacker and the Kaspersky software was used to "identify" the documents, different story. Need details here.
[Williams] This story is short on facts and there are other explanations for some of the behavior described. Antivirus scans files and uploads those files to cloud scanning environments (and in some cases more public repositories like VirusTotal). Malicious documents are frequently analyzed in the cloud where more advanced heuristics can be used for analysis. While I don't doubt that the contractor's machine was compromised by Russian hackers, it's a reach to imply that Kaspersky directed that compromise.
[Neely] The big concern is another insider taking classified data and putting it on their home computer. Since Snowden, most agencies have implemented many technical and administrative controls designed to prevent exfiltration of classified information. While restrictions are already in place around the use of removable media, storage and output devices, expect increased restrictions and logging requirements around their use. The hardest use case remains the determined insider with legitimate need-to-know access to the data and approved media.
Read more in:
Dark Reading: Russian Hackers Pilfered Data from NSA Contractor's Home Computer: Report
Ars Technica: Russia reportedly stole NSA secrets with help of Kaspersky-what we know now
ZDNet: WSJ: Kaspersky software likely used in Russian-backed NSA breach
WSJ: Russian Hackers Stole NSA Data on U.S. Cyber Defense

--Russia is Allegedly Compromising NATO Troops' Personal Phones
(October 4 & 5, 2017)

Military and government officials of NATO (the North Atlantic Treaty Organization) say that Russian attackers have been targeting NATO soldiers' personal smart phones. A US Army Lt. Colonel who assumed command of a NATO base in Poland earlier this year said that someone triggered the lost mode on his personal iPhone and was trying to break through additional security measures through a Russian IP address. He also found that someone was tracking his location. In some cases, information has been stolen and/or wiped from the phones. (Please note that the Wall Street Journal story is behind a paywall.)
Read more in:
Engadget: Russia is hacking the phones of NATO soldiers
SC Magazine: Russians hacked smartphones of 4,000 NATO troops
WSJ: Russia Targets NATO Soldier Smartphones, Western Officials Say

*************************** SPONSORED LINKS ********************************

1) If you missed this one: "I'm in the cloud now so... I'm secure right?" The archive is at: http://www.sans.org/info/198670

2) Don't miss: "Isolate the Critical: How to Deploy Microsegmentation for Operational Resiliency" Register: http://www.sans.org/info/198675

3) "NotPetya, Dragonfly 2.0 & CrashOverride: Is Now the Time for Active Cyber Defense in ICS/SCADA Networks?" with Mike Assante. Register: http://www.sans.org/info/198680



--White House Asks Agencies for Ideas to Replace Social Security Numbers
(October 3 & 5, 2017)

In the wake of the Equifax breach and the associated exposure of millions of Social Security numbers (SSNs), White House cyber security advisor Rob Joyce says the administration has asked federal agencies to come up with ideas for alternative identifiers for US citizens. SSNs, which were introduced as identifiers to be used for federal retirement benefits, cannot be changed once they are stolen. They are often used for multiple sensitive purposes such as conducting financial transactions, applying for a job, and obtaining cell phone service. In a Motherboard article, Columbia University computer science professor Steve Bellovin explains why replacing SSNs is much more difficult than it seems.
[Editor Comments]
[Murray] The SSN was introduced in the 1930s to compensate in part for the limitations of punched card accounting machines. With modern database systems we might not need it at all. It was intended as an identifier. Most of the problems with it are the result of its misuse as an authenticator and as a tie-breaker (rather than address, ZIP code, parents names, or place and date of birth) for name collisions. Note that only part of the number is necessary for that purpose. All that said, its uses and misuses are so pervasive, that replacing it would be more difficult than the Y2K problem. Incidentally, I am reliably informed that the IRS, not the SSA, now controls the SSN. The SSA could not unilaterally change it even if it wanted to.
Read more in:
Motherboard: Replacing Social Security Numbers Is Harder Than You Think
Ars Technica: White House wants to end Social Security numbers as a national ID
CNET: White House official: Let's replace Social Security numbers

--SEC Security Team Says It Lacked Adequate Funding; IG Says Agency Did Not Obey Management Controls
(October 3 & 4, 2017)

Just months before the breach of the Securities and Exchange Commission's (SEC's) EDGAR system was detected, the SEC's internal digital forensics and security team wrote a letter to the SEC inspector general, complaining that they were seriously underfunded and were forced to work with equipment that other SEC branches had designated for disposal. In a separate story, a report from the SEC's Office of Inspector General (OIG) says the agency failed to adhere to federal change management controls when it made IT upgrades to its EDGAR filing system. It is not known of the audit was conducted in response to the breach of the EDGAR system.
[Editor Comments]
[Murray] "Under funding" is a common complaint from security staff. It often results from a failure to make effective and well justified budget requests.
[Paller] Just as often funding requests are refused because the executives see them for what they are: funds for this year's "shiny toy" rather than the deep hygiene processes that protect systems and proof that they work.
Read more in:
Reuters: SEC must improve filing system upgrades- in-house inspector
SEC: Audit of the SEC's Progress in Enhancing and Redesigning the Electronic Data Gathering, Analysis, and Retrieval (EDGAR) System
Ars Technica: SEC hack came as internal security team begged for funding

--US Consumer Financial Protection Bureau IG Report
(October 4, 2017)

A report from the US Consumer Financial Protection Bureau (CFPB) Office of Inspector General found that CFPB needs to better implement data loss prevention technologies to help protect the data it collects from attacks like those experienced by Equifax and the Securities and Exchange Commission (SEC).
[Editor Comments]
[Northcutt] Paper pushers trying to help invariably create more paper to push. We know what we need to do, patching systems as a core security practice dates back to the 1990s. An increase in actual assessed penalties is the only thing I can think of that will work.
Not more lipstick on a pig with paper assessment and accreditation:
Not slaps on the hand like the SEC $1M fine for Morgan Stanley, (they make more than that in a day):
HIPAA/HHS started to lead the way after becoming known as the toothless tiger, so let's cut their budget:
https://www.linkedin.com/pulse/hipaa-tiger-teeth-has-grown-claws-marq-v-cerqua (Please note: access tot his story requiers signing in to Linkedin.
Read more in:
Reuters: U.S. financial regulator must beef up cyber security: inspector
Federal Reserve OIG: The CFPB Can Improve Its Examination Workpaper Documentation Practices (PDF)

--Brazilian Banking Trojan Uses Legitimate VMware Binary
(October 4, 2017)

A banking Trojan that targets customers of Brazilian banks uses a legitimate VMware binary to evade detection. The VMware binary tricks security systems into believing the malware is a legitimate process.
Read more in:
SC Magazine: Brazilian banking trojan uses legit VMware binary to bypass security
Cisco Talos: Banking Trojan Attempts To Steal Brazillion$

--Courts in Spain, Greece, and Latvia Grant US Requests for Extradition of Alleged Russian Cyber Criminals
(October 4, 2017)

Courts in Europe have granted four of five US extradition requests for alleged Russian cyber criminals. On Tuesday, October 3, Spain's High Court granted the US's request to extradite Peter Levashov to the US to face charges that he operated the Kelihos botnet; Russia has also requested Levashov's extradition A Spanish court approved extradition to the US for another suspect, Stanislav Lisov, in August; he is appealing the decision. A court in Greece has approved the extradition of Alexander Vinnik to the US to face charges that he operated a Bitcoin-laundering operation. Vinnik is also appealing the decision. Yury Martyshev was extradited from Latvia to the US earlier this year. A fifth suspect, Yevgeniy Nikulin, has been detained in Czechia, where he is fighting extradition requests from both the US and Russia.
Read more in:
Bleeping Computer: US Wins Tug-of-War With Russia Over Extradition of 4 of 5 Highly Valued Suspects
Reuters: Spanish court grants U.S. extradition for Russian hacking suspect
Reuters: Greek court clears U.S. extradition of Russian bitcoin fraud suspect

--Information from the Equifax Congressional Hearing
(October 3, 2017)

Testimony from former Equifax CEO Richard Smith at a US congressional hearing earlier this week revealed that the company stored sensitive customer data unencrypted and that security reviews occurred just once a quarter. In addition, the timeline of when executives knew what information about the breach does not quite add up, and the company's patching process was ineffective.
[Editor Comments]
[Neely] The importance of keeping a complete timeline of actions in a breach is underscored here. The best mitigation is to be prepared. Review your incident response plan, run a drill, and update your plan regularly. Have you visited your local FBI field office? Chief of Police? Make sure you know who to call, and they know you before there is a problem.
Read more in:
Wired: 6 Fresh Horrors From the Equifax CEO's Congressional Hearing

--Updates Available to Fix Flaw in WordPress Plugins
(October 3, 2017)

A PHP object injection vulnerability in some WordPress plugins is being actively exploited to take control of websites that use the content management system. Updates are available for the affected plugins: Appointments, Flickr Gallery, and RegistrationMagic-Custom Registration Forms.
[Editor Comments]
[Neely] Uninstall unneeded plugins so that their potentially vulnerable code is not just disabled, but removed from your system, reducing your attack surfaces.
Read more in:
The Register: Patch your WordPress plugins: Scum are right now hijacking blogs
SC Magazine: Critical zero-days found in three popular WordPress plugins
WordFence: 3 Zero-Day Plugin Vulnerabilities Being Exploited In The Wild

--IETF Releases New BGP Path Validation Draft Standard
(October 3, 2017)

The Internet Engineering Task Force (IETF) has issued new draft standards aimed at improving the security of the Border Gateway Protocol (BGP) system. The BGPsec standard involves using digital signatures on BGP routers so Internet traffic flows over a digitally-signed path.
Read more in:
Dark Reading: New Standards Will Shore up Internet Router Security


Fedex Malspam Pushes Formbook Infostealer Malware


Wordpress Plugins Heavily Abused For Site Defacements


Fake WordPress Security Plugin Being Advertised


Extract HTTP Requests from PCAPs and Turn Them Into cURL Commands


Apple Patches Embarrassing MacOS High Sierra Flaw


Cyber Security Awareness Month: Ouch! Newsletter (PDF)


Modified Rowhammer Attack Bypasses Current Defenses (PDF)


Metasploit Modules For VMWare Escape


Another Tomcat PUT Vulnerability


STI Student Interview with Dallas Haselhorst: HL7 Healthcare Protocol


Nzyme Wifi Frame Recording and Forensics


The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create