Gain Top-Notch InfoSec Skills at SANS Las Vegas 2018. Save $400 thru 12/6.

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #72

September 09, 2016

TOP OF THE NEWS

House Oversight Committee Report on OPM Breach
White House Names First Federal CISO
Android Updates Address Nearly 60 Flaws

THE REST OF THE WEEK'S NEWS

Two Arrested for Allegedly Stealing US Government Officials' Information
New HTTP Warnings in Chrome
Xen Project Patches Hypervisor Flaws
Mac OS X Backdoor
WordPress Update
St. Jude Suing MedSec and Muddy Water Waters Over Short Sell
Researchers Find Indications US State Election Board Attacks May Have Links to Russia

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


************************ Sponsored By Skycure **************************

Pegasus Spyware: What You Need to Know to Keep Your Organization Protected. Live Webinar. Pegasus is one of the most targeted and persistent spyware ever found on iOS that can completely compromise all communications and activity on a smartphone. Join this webinar to learn how not to fall victim to the Pegasus attack. Register now:
http://www.sans.org/info/188497

***************************************************************************

TRAINING UPDATE

--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016

--SANS London Autumn 2016 | London, UK | September 19-24 | https://www.sans.org/event/london-autumn-2016

--Security Leadership Summit & Training | Dallas, TX | September 27 - October 4, 2016 | https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA | https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic | https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD | https://www.sans.org/event/baltimore-2016

--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan | https://www.sans.org/event/tokyo-autumn-2016

--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA | https://www.sans.org/event/tysons-corner-2016

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA | https://www.sans.org/event/san-diego-2016

--Pen Test HackFest Summit & Training | November 2-9, 2016 | Crystal City, VA | https://www.sans.org/event/pen-test-hackfest-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016

***************************************************************************

TOP OF THE NEWS

House Oversight Committee Report on OPM Breach (September 7 and 8, 2016)

According to a report from the US House Oversight and Government Reform Committee, the breach of systems at the Office of Personnel Management (OPM) was due (in large part) to "the longstanding failure of OPM leadership to implement basic hygiene." The report notes that there were two breaches at OPM. The first, which began in November 2013 and was shut down in May 2014, targeted manuals and technical information about the types of data stored in OPM systems. The second breach targeted personally identifiable information, including background investigation data and personnel records. The breaches were likely conducted by cyberespionage groups in China.

[Editor Comments ]


[Murray ]
Perhaps we expect too much from "good hygiene." Perhaps it is time to consider (closed)(single) Application-only systems for most tasks. Perhaps it is time to take the lessons of the closed, single-application-at-a-time, hidden (from the user) file system, architecture of the Apple iOS environment to heart. Contrary to all the alarmist complaints from the geeks as this strategy became apparent, these restrictions have been more security effective and less inconvenient than the geeks would have predicted.
Read more in:
Dark Reading: OPM Breach: Two Waves of Attacks Likely Connected, Congressional Probe Concludes
-http://www.darkreading.com/endpoint/opm-breach-two-waves-of-attacks-likely-conne
cted-congressional-probe-concludes/d/d-id/1326834?

Ars Technica: Surprise! House Oversight report blames OPM leadership for breach of records
-http://arstechnica.com/information-technology/2016/09/surprise-house-oversight-r
eport-blames-opm-leadership-for-breach-of-records/

The Register: Read the damning dossier on the security stupidity that let China ransack OPM's systems
-http://www.theregister.co.uk/2016/09/08/opm_hacking_report/
US House: The OPM Data Breach: How the Government Jeopardized National Security for More than a Generation (PDF)
-https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-t
he-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf

White House Names First Federal CISO (September 8, 2016)

The White House has named the first US federal chief information security officer (CISO). Brigadier General (retired) Gregory J. Touhill. US CIO Tony Scott and Special Assistant to the President and Cybersecurity Coordinator J. Michael Daniel wrote in a blog post announcing the appointment that "the CISO will play a central role in helping to ensure the right set of policies, strategies, and practices are adopted across agencies and keeping the Federal Government at the leading edge of 21st century cybersecurity." Grant Schneider has been named Acting Deputy CISO.
Read more in:
Federal News Radio: White House names first federal chief information security officer
-http://federalnewsradio.com/people/2016/09/white-house-names-first-federal-chief
-information-security-officer/

ZDNet: White House appoints first Federal Chief Information Security Officer
-http://www.zdnet.com/article/white-house-appoints-first-federal-chief-informatio
n-security-officer/

White House: Announcing the first Federal Chief Information Security Officer
-https://www.whitehouse.gov/blog/2016/09/08/announcing-first-federal-chief-inform
ation-security-officer

Android Updates Address Nearly 60 Flaws (September 7, 2016)

Google has released updates for Android to fix 57 vulnerabilities, eight of which are rated critical. The patches are grouped into three "security patch level strings" to help manufacturers apply them to their devices.
Read more in:
SC Magazine: Google patches 57 Android vulnerabilities, attempts to resolve Mediaserver attacks
-http://www.scmagazine.com/google-patches-57-android-vulnerabilities-attempts-to-
resolve-mediaserver-attacks/article/521160/

eWeek: Google Fleshes Out Details of Android Nougat Security Enhancements
-http://www.eweek.com/android/google-fleshes-out-details-of-android-nougat-securi
ty-enhancements.html



*************************** SPONSORED LINKS *****************************
1) Don't miss this opportunity for the inside scoop on the latest advanced threat tactics. Register: http://www.sans.org/info/188502

2) Get a greater understanding of OpenSCAP and tools to help apply industry standards to your production servers. Register: http://www.sans.org/info/188512

3) ENDING SOON! "What are your vulnerabilities? Do you even know? Take SANS survey and enter to win a $400 Amazon Gift Card. http://www.sans.org/info/188517
***************************************************************************

THE REST OF THE WEEK'S NEWS

Two Arrested for Allegedly Stealing US Government Officials' Information (September 8, 2016)

US law enforcement authorities have arrested two people who allegedly had roles in the theft and leak of information of more than 29,000 FBI and Department of Homeland Security (DHS) officials. Andrew Otto Boggs and Justin Gray Liverman allegedly used social engineering to gain access to the accounts. Three additional suspects are under investigation in the UK.

[Editor Comments ]


[HONAN ]
One of the alleged avenues of compromise was a social engineering call to the Department of Justice's helpdesk. This highlights how critical it is to ensure your helpdesk staff are trained on how to spot a social engineering attack and to have robust end user identification processes in place to ensure they are dealing with the authorised owner of the account.
Read more in:
Computerworld: FBI nabs hackers who allegedly dumped details on government agents
-http://www.computerworld.com/article/3118266/security/fbi-nabs-hackers-who-alleg
edly-dumped-details-on-government-agents.html

Ars Technica: Two men charged with hacking CIA director and other high-ranking officials
-http://arstechnica.com/security/2016/09/two-men-charged-with-hacking-cia-directo
r-and-other-high-ranking-officials/

Scribd: Affidavit in Support of a Criminal Complaint and Arrest Warrants
-https://www.scribd.com/document/323368911/1-16-mj-00406#download

New HTTP Warnings in Chrome (September 8, 2016)

Google will start warning users about sites using HTTP rather than HTTPS early next year. When the stable version of Chrome 56 is released at the end of January 2017, the browser will warn users when sites send passwords or payment card data over non-secure, HTTP connections. The warnings are "part of a long-term plan to mark all HTTP sites as non-secure," according to Google's blog post.

[Editor Comments ]


[Ullrich ]
These warnings, which will be displayed in the URL bar, solve a long outstanding problem that. Although SSL errors are very visible to the user, the absence of SSL is not specifically advertised. Attack tools like sslstrip have taken advantage of this flaw, and many phishing sites do not have to bother with setting up SSL. This new indicator should make it easier to educate users to spot insecure sites. But it also puts more pressure on legitimate websites to properly implement SSL.

[Northcutt ]
The security.googleblog.com is the most important link. By phasing the warnings in, they are trying to maintain rapport with rank and file users while raising awareness. Most users will agree that unencrypted credit card fields are a bad idea and they plan to go from there.

[Pescatore ]
I'd rather see Google donate some percentage of its advertising to "public service announcements" working to educate and change user behaviors than add more popups. The browser (and certificate) industry as a whole has failed to educate users on things like what red/green URLs mean or what it means when certificate warning pop up.
Read more in:
Computerworld: Google puts screws to HTTP with new warnings in Chrome
-http://www.computerworld.com/article/3118184/internet/google-puts-screws-to-http
-with-new-warnings-in-chrome.html

CNET: Chrome to warn when insecure websites expose your passwords
-http://www.cnet.com/news/chrome-warning-insecure-http-websites-expose-passwords-
credit-card-numbers/

The Register: Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January
-http://www.theregister.co.uk/2016/09/08/chrome_to_shame_non_https_sites/
Google Blog: Moving towards a more secure web
-https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

Xen Project Patches Hypervisor Flaws (September 8, 2016)

The Xen project has released fixes for four vulnerabilities in its hypervisor. Three of the flaws could be exploited to allow guest virtual machines to take control of the host server. The fourth flaw could allow guests to cause crashes.
Read more in:
The Register: Hypervisor security ero-Xen: How guest VMs can hijack host servers
-http://www.theregister.co.uk/2016/09/08/xen_security_bugs/

Mac OS X Backdoor (September 8, 2016)

Researchers at Kaspersky Lab have detected a variant of the Mokes malware that targets computers running the Mac OS X operating system. Other versions of Mokes are already known to target Windows and Linux systems. Mokes allows attackers to steal a variety of data from infected machines and can execute arbitrary commands.
Read more in:
ZDNet: Sophisticated Mac OS X backdoor uncovered
-http://www.zdnet.com/article/sophisticated-mac-os-x-backdoor-uncovered/
Securelist (Kaspersky blog): The Missing Piece - Sophisticated OS X Backdoor Discovered
-https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-
backdoor-discovered/

WordPress Update (September 8, 2016)

WordPress has updated its content management system to version 4.6.1 to address a pair of vulnerabilities. One of the flaws could be exploited in cross-site scripting attacks. The second is a path traversal flaw in the upgrade package uploader. The update also addresses 15 additional issues.
Read more in:
SC Magazine: WordPress update fixes XSS issues
-http://www.scmagazine.com/wordpress-update-fixes-xss-issues/article/521266/
Softpedia: WordPress 4.6.1 Security Update is Out, Time to Update Peeps
-http://news.softpedia.com/news/wordpress-4-6-1-security-update-is-out-time-to-up
date-peeps-508089.shtml

WordPress: WordPress 4.6.1 Security and Maintenance Release
-https://wordpress.org/news/2016/09/wordpress-4-6-1-security-and-maintenance-rele
ase/

St. Jude Suing MedSec and Muddy Water Waters Over Short Sell (September 7, 2016)

St. Jude Medical is suing MedSec and Muddy Waters over "... false statements, false advertising, conspiracy and the resultant manipulation of the public markets." Last month, MedSec and Muddy Waters teamed up to release a report about alleged flaws in some St. Jude medical devices and take financial advantage of a resulting dip in the company's stock price.
Read more in:
ZDNet: MedSec sued over St. Jude pacemaker vulnerability report
-http://www.zdnet.com/article/medsec-sued-over-st-jude-pacemaker-vulnerability-re
port/

Dark Reading: St. Jude Sues Muddy Waters, MedSec
-http://www.darkreading.com/vulnerabilities---threats/st-jude-sues-muddy-water-wa
ters-medsec/d/d-id/1326837?

The Register: St Jude sues short-selling MedSec over pacemaker 'hack' report
-http://www.theregister.co.uk/2016/09/07/st_jude_sues_over_hacking_claim/
St. Jude: St. Jude Medical brings legal Action Against Muddy Waters and MedSec
-http://media.sjm.com/newsroom/news-releases/news-releases-details/2016/St-Jude-M
edical-Brings-Legal-Action-Against-Muddy-Waters-and-MedSec/default.aspx

Regmedia: Complaint (PDF)
-https://regmedia.co.uk/2016/09/08/medsec_lawsuit.pdf

Researchers Find Indications US State Election Board Attacks May Have Links to Russia (September 6, 2016)

Researchers at ThreatConnect have found that an Internet Protocol (IP) address used in cyberattacks against election boards in Illinois and Arizona was also used in a series of spearphishing attacks against Turkish and Ukrainian government officials and members of the German Freedom Party. The political nature of the phishing targets suggests that it could be a "state-based effort."

[Editor Comments ]


[Assante ]
Another example of why it is important to learn as much as we can from these types of attacks (campaigns to influence, disrupt infrastructure, disrupt government services) from around the world. Ukraine has the unfortunate role of being the bellwether for a particular country's strategic cyber efforts aimed at influencing, strong-arming, and reducing confidence.
Read more in:
Dark Reading: More Signs Point to Russian Cyberspy Connection In State Election Board
-http://www.darkreading.com/analytics/more-signs-point-to-russian-cyberspy-connec
tion-in-state-election-board-hacks/d/d-id/1326825


INTERNET STORM CENTER TECH CORNER

Google September Android Security Update
-https://source.android.com/security/bulletin/2016-09-01.html

Hard Coded Password / Key Issue Gets Worse
-http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html

Snagging Credentials From Locked Machines (Windows and OS X)
-https://room362.com/post/2016/snagging-creds-from-locked-machines/

DShield Blocklist Update
-https://isc.sans.edu/forums/diary/Updated+DShield+Blocklist/21453/

Fortinet FortiWAN Load Balancer Mulitple Unpatched Vulnerabilities
-http://www.kb.cert.org/vuls/id/724487

Rapid7 Published NSM Vulnerabilities
-http://www.theregister.co.uk/2016/09/07/natwork_magement_vulns/

OPM Breached by Two Different Attackers
-https://oversight.house.gov/wp-content/uploads/2016/09/The-OPM-Data-Breach-How-t
he-Government-Jeopardized-Our-National-Security-for-More-than-a-Generation.pdf

Spikes in SNMP Traffic: Looking for PCAPs
-https://isc.sans.edu/forums/diary/Curious+SNMP+Traffic+Spike/21457/

New Version of Wireshark Released
-https://www.wireshark.org/docs/relnotes/wireshark-2.2.0.html

XEN Hypervisor Vulnerabilities
-https://xenbits.xen.org/xsa/

Google Moving Ahead With HTTP Phaseout
-https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

Old Windows Media Player DRM Feature Still Used To Install Malware
-http://blog.cyren.com/articles/windows-media-player-drm-feature-used-for-malware
-delivery-again.html



***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create