Last Day to Save $400 on 4-6 Day Courses at SANS Tysons Corner Fall 2017! Register Now.

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #63

August 09, 2016

TOP OF THE NEWS

Medical Records Compromised Through Healthcare ID Card Company
Oracle MICROS Point-of-Sale Customer Support Portal Breached
Qualcomm Chip Flaws Could Giver Attackers Root Access to Android Devices

THE REST OF THE WEEK'S NEWS

DARPA Grand Challenge Winner
Strider Espionage Group
Garda IT Systems Now Restored Following Attack
Insurance Company Offers Discounted Rates for Using IoT Alarm
Pay-per-Install Affiliates Bundle Unwanted Software with Legitimate Downloads
New Security Domains

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


********************** Sponsored By Sophos Inc. ************************

How to stay protected against ransomware: Ransomware threats like Cryptowall, TeslaCrypt and Locky are on the rise, targeting organizations of all sizes. Find out how these attacks work and why a large number of new infections continue to surface despite existing protective measures. Learn more:
http://www.sans.org/info/187787

***************************************************************************

TRAINING UPDATE

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016

--SANS Virginia Beach 2016 | Virginia Beach, VA | August 22-September 2 | https://www.sans.org/event/virginia-beach-2016

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016

--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 | https://www.sans.org/event/crystal-city-2016

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016

--SANS London Autumn 2016 | London, UK | September 19-24 | https://www.sans.org/event/london-autumn-2016

--Security Leadership Summit & Training | September 27 October 4, 2016 | Dallas, TX | https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA | https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic | https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD | https://www.sans.org/event/baltimore-2016

***************************************************************************

TOP OF THE NEWS

Medical Records Compromised Through Healthcare ID Card Company (August 5 and 8, 2016)

A company that makes healthcare ID cards for a number of health insurance organizations is notifying 3.3 million people that their personal data were compromised. Newkirk Products says that someone obtained unauthorized access to a server containing the information, which includes names of people enrolled in plans, primary care providers, information about insurance premium payments, and Medicaid ID numbers. Newkirk became aware of the breach in early July; the intruder first gained access in May 2016.
Read more in:
SC Magazine: Newkirk medical records breach impacts 3.3M, Blue Cross Blue Shield customers affected
-http://www.scmagazine.com/unauthorized-individual-gains-access-to-a-server-conta
ining-data-on-33m/article/514741/

PR Newswire: Newkirk Products, Inc. Provides Notice of Data Breach
-http://www.prnewswire.com/news-releases/newkirk-products-inc-provides-notice-of-
data-breach-300309995.html

Oracle MICROS Point-of-Sale Customer Support Portal Breached (August 8, 2016)

Attackers have compromised systems at Oracle, Inc., including a customer support portal for the company's MICROS point-of-sale payment card systems. Oracle has asked all customers to reset their support portal passwords. The attack appears to be the work of a Russian cybercrime group known as Carbanak.
Read more in:
KrebsonSecurity: Data Breach at Oracle's MICROS Point-of-Sale Division
-http://krebsonsecurity.com/2016/08/data-breach-at-oracles-micros-point-of-sale-d
ivision/

Qualcomm Chip Flaws Could Giver Attackers Root Access to Android Devices (August 8, 2016)

Four vulnerabilities in Qualcomm chips used in Android devices could be putting 900 million users at risk of having their devices hijacked. The flaws could be exploited to obtain elevated privileges and gain root access to vulnerable devices. Fixes for the flaws are available, but handset manufacturers are responsible for distributing them to users. Google's most recent Android update includes fixes for three of the flaws; the fourth was not ready in time.

[Editor Comments ]


[Williams ]
Vulnerabilities that break application containerization models are never good, especially on Android where they will be patched in months if at all by different handset manufacturers. But these vulnerabilities are not likely to be exploitable without installing rogue applications, which Google is surely already looking for. Your risk of these vulnerabilities is practically zero unless you install apps from outside the Google Play Store ecosystem. It's also worth noting that the sky is not falling. In iOS, we don't call these 'root access vulnerabilities' - they're called jailbreaks and generally applauded by users.

[Murray ]
Yes? And? Work-arounds? Indicators of compromise? I understand that this is DefCon and that we must expect such stories. Does not the story encourage exploitation of a flaw that those who could fix it already knew about? Isn't this simply a game of "Gotcha?" Perhaps Black Hat and DefCon should begin with a plenary presentation on responsible disclosure.
Read more in:
Ars Technica: Major Qualcomm chip security flaws expose 900M Android users
-http://arstechnica.com/security/2016/08/qualcomm-chip-flaws-expose-900-million-a
ndroid-devices/

The Register: latest Androids have 'god mode' hack hole, thanks to Qualcomm
-http://www.theregister.co.uk/2016/08/08/latest_androids_have_god_mode_hack_hole/
Computerworld: Qualcomm-powered Android devices plagued by four rooting flaws
-http://www.computerworld.com/article/3105052/security/qualcomm-powered-android-d
evices-plagued-by-four-rooting-flaws.html

ZDNet: 'Quadrooter' flaws affect over 900 million Android phones
-http://www.zdnet.com/article/quadrooter-security-flaws-affect-over-900-million-a
ndroid-phones/

Checkpoint: Quadrooter: New Android Vulnerabilities in Over 900 Million Devices
-http://blog.checkpoint.com/2016/08/07/quadrooter/


*************************** SPONSORED LINKS *****************************
1) Don't Miss: What Works: A Credit Union Increased Network Security With Network Access Control Based on Great Bay Software Beacon. Tuesday, August 23rd, 2016 at 11:00 AM Eastern with John Pescatore and Jeremy Taylor. http://www.sans.org/info/187775

2) Top Office 365 Mail Vulnerabilities: Attacks on your Users Right Now. Wednesday, August 31st, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Michael Landewe, Chris Isbrecht and Kip James. Register: http://www.sans.org/info/187780

3) Help SANS determine how organizations conduct CONTINUOUS VULNERABILITY ASSESSMENT and remediation related to the CIS Critical Security Controls- http://www.sans.org/info/187750
***************************************************************************

THE REST OF THE WEEK'S NEWS

DARPA Grand Challenge Winner (August 5, 2016)

The winner of the Defense Advanced Research Projects Agency's (DARPA's) Grand Challenge is a bot called Mayhem, developed by Team ForAllSecure. The competition was an opportunity for the top seven teams to demonstrate the autonomous computer security systems they had developed. In a blog post last week, the Electronic Frontier Foundation (EFF) wrote, "this initiative by DARPA is very cool, very innovative, and could have been a little dangerous." The blog post goes on to call on the people doing the research in autonomous computing to address concerns about the technology being used maliciously.

[Editor Comments ]


[Paller ]
This contest will come to be seen as the first large-scale, practical demonstration of a game changing approach to cybersecurity. Kudos to Mike Walker, DARPA's project manager, for the vision and all the effort that made it possible.

[Williams ]
This challenge required teams to write code that would examine a binary for vulnerabilities, patch the vulnerabilities on their machines, and write exploits for the vulnerabilities on others' machines. The 'Mechanical Phish' team took a unique approach to this problem, ensuring that their patches contained a backdoor that they could exploit at will if another team tried to copy their patch. Beyond being a brilliant "anti-cheating" strategy, it highlights how easily backdoors can be inserted in code that are nearly impossible to detect.
Read more in:
Wired: Will Humans or Bots Rule Cybersecurity? The Answer is Yes
-http://www.wired.com/2016/08/will-humans-bots-rule-cybersecurity-answer-yes/
eWeek: DARPA Grand Challenge Ends With Mayhem
-http://www.eweek.com/security/darpa-cyber-grand-challenge-ends-with-mayhem.html
FCW: A word of challenge for DARPA's cyber challenge champ
-https://fcw.com/articles/2016/08/05/rockwell-darpa-challenge.aspx
EFF: Does DARPA's Grand Challenge Need a Safety Protocol?
-https://www.eff.org/deeplinks/2016/08/darpa-cgc-safety-protocol
SC Magazine: Bot Mayhem takes first place in DARPA Cyber Challenge
-http://www.scmagazine.com/bot-mayhem-takes-first-place-in-darpa-cyber-challenge/
article/514500/

Strider Espionage Group (August 8, 2016)

A newly detected cyberespionage group, which Symantec has dubbed Strider, has targeted systems in Russia, Sweden, China, and Belgium. Strider uses a tool called Remsec to steal information. Although the group has been active since at least 2011, it appears to have targeted just seven organizations, "mainly organizations and individuals that would be of interest to a nation state's intelligence services."

[Honan ]
The Russian security firm Kasperky Labs also produced a very good report on this threat, which they dubbed as Project Sauron. It makes for a good read and is available at
-https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/
Read more in:
The Hill: Report: New 'Strider' espionage group struck targets in four countries
-http://thehill.com/policy/cybersecurity/290716-report-new-strider-espionage-grou
p-struck-targets-in-four-nations

Dark Reading: Symantec Discovers Strider, a New CyberEspionage Group
-http://www.darkreading.com/attacks-breaches/symantec-discovers-strider-a-new-cyb
erespionage-group/d/d-id/1326532?

Symantec: Strider: Cyberespionage group turns eye of Sauron on targets
-http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sau
ron-targets

Ars Technica: Researchers crack open unusually advanced malware that hid for 5 years
-http://arstechnica.com/security/2016/08/researchers-crack-open-unusually-advance
d-malware-that-hid-for-5-years/

Garda IT Systems Now Restored Following Attack (August 7 and 8, 2016)

A number of Irish police systems were shut down last week after attempts were made to break into An Garda Siochana systems. Service has since been restored. While details of the malware used in the attack were scant, it is likely that the system was affected by ransomware. The Garda computer crime unit is investigating.

[Editor Comments ]


[HONAN ]
- The press release relating to this issue by An Garda Siochana used terms such as "zero day" which led to a lot of speculation resulting in many news outlets saying the attack was sponsored by groups ranging from organized crime gangs to nation state actors. This is a good example of why clear, timely, and unambiguous communications in the event of a security breach is essential in maintaining stakeholder confidence in the impacted organization. It is also useful to phrase your communications appropriately for the audience, for example non-technical reporters, so they in turn do not misrepresent the impact of the incident.
Read more in:
The Register: PCs' PCs pwned: Irish cops probe mystery malware attack
-http://www.theregister.co.uk/2016/08/08/irish_police_malware_attack/
Irish Times: Normal service restored to Garda IT systems after hack attempt
-http://www.irishtimes.com/news/crime-and-law/normal-service-restored-to-garda-it
-systems-after-hack-attempt-1.2749460

Irish Independent: Investigation launched after attempts to hack into garda IT systems
-http://www.independent.ie/irish-news/investigation-launched-after-attempts-to-ha
ck-into-garda-it-systems-34945230.html

Insurance Company Offers Discounted Rates for Using IoT Alarm (August 8, 2016)

Customers of the Zurich insurance company can get a 10 percent discount on their monthly homeowners insurance bills if they use an Internet connected alarm from Cocoon. Experts have expressed concerns about the security of the devices.

[Editor Comments ]


[Pescatore ]
Will the insurance policy cover a break-in to your home network via the Cocoon camera/audio monitor? I hope Zurich, in choosing Cocoon, made sure they have had the device, the app and the server side of the app all thoroughly tested for vulnerabilities.

[Ullrich ]
An alarm system with weakly encrypted wireless signals is still good enough to foil a burglar whose most sophisticated tool is a brick used to smash a window.
Read more in:
SC Magazine UK: Insurance firm now offering discount on use of IoT alarm
-http://www.scmagazineuk.com/insurance-firm-now-offering-discount-on-use-of-iot-a
larm/article/514501/

Pay-per-Install Affiliates Bundle Unwanted Software with Legitimate Downloads (August 8, 2016)

Researchers from Google and from New York University's Tandon School of Engineering analyzed the software pay-per-install (PPI) model and found that some PPI affiliates, those businesses that arrange to include the dodgy software in downloads, will often examine computers during the installation process to determine which adware programs would be best suited for that particular machines, and to check if antivirus software is running. The researchers also noted what they called the "thin veil of consent," the lengthy terms and conditions page that accompanies downloads, and which users often agree to without reading the details. Google says it issues more warnings for this type of unwanted software than it does for malware.
Read more in:
Computerworld: Adware can turn a profit for those who sneak it into downloads
-http://www.computerworld.com/article/3105504/security/adware-can-turn-a-profit-f
or-those-who-sneak-it-into-downloads.html

ZDNet: Google: Unwanted bundled software is way more aggressive than malware
-http://www.zdnet.com/article/google-unwanted-bundled-software-is-way-more-aggres
sive-than-malware/

eWeek: Software Bundling Outfits Intentionally Distributing Unwanted Apps
-http://www.eweek.com/enterprise-apps/software-bundling-outfits-intentionally-dis
tributing-unwanted-apps.html

New Security Domains (August 5, 2016)

gen.xyz has introduced two new top level domains: .security and .protection. The registry operator strongly encourages but does not require sites using the domains to employ SSL and DNSSEC. The new domains are priced between US $2,500 and US $4,000, in part as an effort to reduce the likelihood that criminals will purchase them in an effort to appear legitimate.

[Editor Comments ]


[Ullrich ]
Before you run out and sign up, consider that due to the high volumes of spam arriving from new domains, many users started to block all e-mail from newly minted generic top level domains (gTLDs). Personally, I started blocking .top, .science and .trade recently, eliminating about 80% of spam.
-https://isc.sans.edu/forums/diary/Are+you+getting+ICANNED/21323/

[Northcutt ]
: According to the article Office 365 protection site, Norton, FireEye, and Masterlock have already purchased domains within these TLDs. It could work if the folks within the domain police it to some extent, because the cost of the domain is not going to stop underworld activity. It was actually registered by Symantec last year and sold to gen.xyz so there may be more to the story:
-https://icannwiki.com/.security
Read more in:
Dark Reading: New Internet Security Domains Debut
-http://www.darkreading.com/cloud/new-internet-security-domains-debut-/d/d-id/132
6526


INTERNET STORM CENTER TECH CORNER

Analyzing Malicious RTF Files
-https://isc.sans.edu/forums/diary/rtfdump/21347/

Monitors Vulnerable To Remote Code Execution
-http://motherboard.vice.com/read/hackers-could-break-into-your-monitor-to-spy-on
-you-and-manipulate-your-pixels

Brute Forcing Encrypted Hard drive Protections
-https://www.blackhat.com/docs/us-16/materials/us-16-OFlynn-Brute-Forcing-Lockdow
n-Harddrive-PIN-Codes.pdf

What is Using Your Webcam
-http://www.welivesecurity.com/2016/08/04/afraid-someone-misusing-webcam/

Using File Entropy to Identify "Ransomwared" Files
-https://isc.sans.edu/forums/diary/Using+File+Entropy+to+Identify+Ransomwared+Fil
es/21351/

Bypassing Windows Digital Signatures
-https://www.blackhat.com/docs/us-16/materials/us-16-Nipravsky-Certificate-Bypass
-Hiding-And-Executing-Malware-From-A-Digitally-Signed-Executable-wp.pdf

Quadrooter Android Vulnerability
-http://blog.checkpoint.com/2016/08/07/quadrooter/

Defcon Slides Online
-https://media.defcon.org/DEF%20CON%2024/DEF%20CON%2024%20presentations/

Philips Hue Exploit (Video)
-http://colinoflynn.com/wp-content/uploads/2016/08/us-16-OFlynn-A-Lightbulb-Worm-
wp.pdf



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create