iPad Pro w/ Magic KB, Surface Go 2, or $350 Off with OnDemand Training - Register Now

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #65

August 16, 2016


Commission on Enhancing National Cybersecurity Seeks Public Input
OIG Finds GSA Access Controls in Good Shape


US Intelligence to Share Supply Chain Threat Reports
Russian Doping Whistleblower's Website Account Compromised
Sage Software Company Breach
Oracle MICROS Attackers Targeted Other POS Vendors
Report: US Interior Dept. Needs to Update Logical Access Controls
Samsung Galaxy S6 Edge Update
Hotel Point-of-Sale Systems Compromised
Iran Investigating Possibility That Oil Field Fires were Caused by Cyberattacks
FDA Releases Draft Guidance for Medical Device Security Modifications



********************** Sponsored By AlienVault *************************

See why AlienVault has been named a Visionary in the latest Gartner Magic Quadrant for SIEM:



--SANS Alaska | Anchorage, AK | August 22-27, 2016 | https://www.sans.org/event/alaska-2016

--SANS Virginia Beach 2016 | Virginia Beach, VA | August 22-September 2 | https://www.sans.org/event/virginia-beach-2016

--SANS Brussels Autumn 2016 | Brussels, Belgium | September 5-10 | https://www.sans.org/event/brussels-autumn-2016

--SANS Northern Virginia 2016 | Crystal City, VA | September 6-11 | https://www.sans.org/event/crystal-city-2016

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016

--SANS London Autumn 2016 | London, UK | September 19-24 | https://www.sans.org/event/london-autumn-2016

--Security Leadership Summit & Training | September 27 - October 4, 2016 | Dallas, TX | https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA | https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic | https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD | https://www.sans.org/event/baltimore-2016



Commission on Enhancing National Cybersecurity Seeks Public Input (August 10, 2016)

The Commission on Enhancing National Cybersecurity is seeking "information about current and future states of cybersecurity in the digital economy." The Commission is seeking information on a range of cybersecurity-related topics, including critical infrastructure cybersecurity, cybersecurity workforce, identity and access management, Internet of Things (IoT), and cybersecurity research and development. President Obama established the commission within the Department of Commerce earlier this year through an executive order. It reports to the president and is supported by the National Institute of Standards and Technology (NIST).

[Editor Comments ]

[Murray ]
Hope springs eternal. We should not need a "commission" to tell us what every reader of NewsBites knows. Our problem is not ignorance but will, the will to employ strong authentication and multi-party controls. If one looks at what Edward Snowden was able to accomplish all by himself in an enterprise with a "national security" culture, then imagine what a team is able to do in the average enterprise.
Read more in:
Federal Register: Information on Current and Future States of Cybersecurity in the Digital Economy

FCW: Cyber commission wants public ideas for bolstering IT security
White House: Executive Order - Commission on Enhancing National Cybersecurity

OIG Finds GSA Access Controls in Good Shape (August 12, 2016)

The Office of Inspector General (OIG) of the US General Services Administration (GSA) found the agency's "policies and procedures regarding access controls" to be in line with federal standards. Eleven of the GSA's 18 examined systems use "multifactor authentication for privileged users consistent with government-wide policies." The seven systems that do not have multifactor authentication use "compensating controls for privileged user access."

[Editor Comments ]

[Murray ]
The exception but it illustrates that it can be done. This shows that federal agencies can make progress where management omits the necessary leadership and resources.
Read more in:
Nextgov: GSA Gets Thumbs Up on Cybersecurity Act Assessment

GSAIG: US General Services Administration Office of Inspector General Cybersecurity Act Assessment

*************************** SPONSORED LINKS *****************************
1) Register Now for the What Works Webcast: "A Credit Union Increased Network Security With Network Access Control Based on Great Bay Software Beacon". Tuesday, August 23rd, 2016 at 11:00 AM Eastern with John Pescatore and Jeremy Taylor. http://www.sans.org/info/187775

2) Don't Miss: "Top Office 365 Mail Vulnerabilities: Attacks on your Users Right Now". Wednesday, August 31st, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Michael Landewe, Chris Isbrecht and Kip James. http://www.sans.org/info/187780

3) Help SANS determine how organizations conduct CONTINUOUS VULNERABILITY ASSESSMENT and remediation related to the CIS Critical Security Controls- http://www.sans.org/info/187750


US Intelligence to Share Supply Chain Threat Reports (August 10, 11, and 15, 2016)

The US National Counterintelligence and Security Center (NCSC) plans to provide reports to US companies about cyberthreats related to the goods and services those companies use. The information sharing program will focus on telecommunications, financial, and energy companies.
Read more in:
Computerworld: US intelligence to share supply chain threat reports with industry

Bloomberg: US Intelligence to Help Companies Avert Supply-Chain Hacking

DNI News Release: New Video Highlights Foreign Risks to Private Sector Supply Chains

Russian Doping Whistleblower's Website Account Compromised (August 15, 2016)

A phishing attack on the World Anti-Doping Agency (WADA) website may have compromised the location of Yuliya Stepanova, a former Russian runner who became a whistleblower when she disclosed state-sponsored athlete doping in that country. For her own safety, Stepanova left Russia following the disclosure.
Read more in:
V3: Russian athlete whistleblower has online account hacked in major security leak

The Register: Russian sports doping whistleblower fears for safety after hack

Sage Software Company Breach (August 14 and 15, 2016)

The accounting software company Sage Group has acknowledged a data breach that may affect hundreds of their business customers. The breach was caused by someone using an internal login without authorization. Sage has begun notifying affected customers, many by phone calls. The UK information Commissioner's office (ICO) has been contacted.
Read more in:
V3: Sage breach exposes personal data of staff at 280 companies

ZDNet: Sage data breach may impact hundreds of business customers

SC Magazine UK: Sage suffers data breach from insider

BBC: Sage software firm hit by data breach
The Register: Accountancy software firm Sage breached in apparent insider attack

Oracle MICROS Attackers Targeted Other POS Vendors (August 12 and 13, 2016)

The attackers who compromised Oracle's MICROS customer support portal and injected malicious code into software have also breached systems of at least five other point-of-sale systems vendors. The attacks occurred between July 16 and July 29. The affected companies include Cin7, ECRS, Navy Zebra, PAR Technology, and Uniwell.
Read more in:
V3: Oracle MICROS hack claims more victims
SC Magazine: research firm finds MICROS hackers infected more POS vendors

The Register: A Russian cyber-gang, the Oracle MICROS hack, and five more POS makers in crims' sights
Forbes: Oracle MICROS Hackers Infiltrate Five More Cash Register Companies

KrebsonSecurity: Visa Alert and Update on the Oracle Breach

Report: US Interior Dept. Needs to Update Logical Access Controls (August 10 and 12, 2016)

According to a report from the US Department of the Interior (DOI) Office of the Inspector General (OIG), eight of nine systems OIG tested at the agency did not meet minimum federal standards for logical access controls. The report also found that DOI needs to encrypt mobile devices and to develop "the ability inspect encrypted traffic for malicious content." The OIG report acknowledges that "DOI has implemented multifactor authentication to reduce the risk of unauthorized access" to systems.

[Editor Comments ]

[Pescatore ]
A lot of these reports will be coming out, as the Cybersecurity Act of 2015 included a requirement for all agencies to report within 240 days on the state of logical access controls and multi-factor authentication used in protecting personally identifiable information. Predictably, there was no deadline imposed for fixing discovered deficiencies - or fixing the yearly Inspector General process if it hadn't already exposed these shortfalls.
Read more in:
SC Magazine: Interior Dept. must update access control standards to meet NIST guidelines - report

FCW: IG: Interior needs to tighten computer security
DOIOIG: Inspection of Federal Computer Security at the US Department of the Interior (PDF)

Samsung Galaxy S6 Edge Update (August 12, 2016)

An update for Samsung's Galaxy S6 Edge smartphone includes a fix for a critical vulnerability. The details of the flaw were not released with the update, but it appears to affect only the S6 Edge phone. The update also includes stability and memory management efficiency improvements.
Read more in:
SC Magazine: Samsung releases Galaxy S6 Edge update, includes a patch for a critical security vulnerability

Hotel Point-of-Sale Systems Compromised (August 14 and 15, 2016)

Point-of-sale systems at 20 hotels in the US have been infected with malware. The affected systems are at hotels operated by HEI Hotels & Resorts. The attacks began in March 2015 and were stopped in late June 2016.
Read more in:
The Register: POS malware stings 20 US hotels
CNET: Malware strikes Starwood, Marriott and Hyatt hotels, exposing customer card data

ZDNet: 20 top US hotels hit by fresh malware attacks
Computerworld: HEI Hotels reports point-of-sale terminals breach

Iran Investigating Possibility That Oil Field Fires were Caused by Cyberattacks (August 12, 2016)

A series of fires and explosions at Iranian gas and oil facilities has prompted the country's National Cyberspace Council to investigate if cyberattacks were involved. Since July 6, there have been at least three fires and two explosions.

[Editor Comments ]

[Assante ]
A cluster of accidents is suspicious, but the country is ramping up both oil and gas production. Cyber investigations in ICS environments are difficult with few proven tools, procedures, or people to conduct them. Investigators can use attack trees working backwards from outcomes to illuminate potential paths for investigation.
Read more in:
TIME: Iran Investigates if Series of Oil Industry Accidents Were Caused by Cyber Attack

FDA Releases Draft Guidance for Medical Device Security Modifications (August 9, 2016)

The US Food and Drug Administration has published draft guidance for manufacturers of Internet-connected medical devices to help them determine when they need to submit modifications that affect cybersecurity for FDA approval. An FDA official noted that "Medical device technology evolves quickly, and not all changes made to marketed devices alter their safety profile or require our review." The draft documents will be available for public comment until November 7, 2016.

[Editor Comments ]

[Pescatore ]
Aargh, the FDA issued this same guidance in 2005 and again somewhere around 2011! Since medical device buyers haven't included such requirements in their procurements, medical device manufacturers have largely ignored the guidance. I'd like to see the Health Care ISAC or other Health Care industry organizations put some pressure on this area.
Read more in:
GovInfoSecurity: FDA Addresses Medical Device Cybersecurity Modifications

FDA: Deciding When to Submit a 510(k) for a Software Change to an Existing Device (PDF)

FDA: Deciding When to Submit a 510(k) for a Change to an Existing Device (PDF)


Most Android Devices Protected From Quadrooter By Default


Dangers of IP Geolocation


Microsoft Secure Boot Key Bypass

(Careful. Highly annoying but harmless.)

Starting October 2016, Microsoft Will Use Monthly Rollup Updates for Win 7/8.1


Updated Group Policies To Block Macros in Office 2013


Bypassing Application Whitelisting using WinDbg


Bypassing UAC without writing to disk


The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create