Ending Soon: Get a MacBook Air or Surface Pro 7 with 5 or 6 Day Training - Best Offers of the Year!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #72

September 09, 2016


House Oversight Committee Report on OPM Breach
White House Names First Federal CISO
Android Updates Address Nearly 60 Flaws


Two Arrested for Allegedly Stealing US Government Officials' Information
New HTTP Warnings in Chrome
Xen Project Patches Hypervisor Flaws
Mac OS X Backdoor
WordPress Update
St. Jude Suing MedSec and Muddy Water Waters Over Short Sell
Researchers Find Indications US State Election Board Attacks May Have Links to Russia



************************ Sponsored By Skycure **************************

Pegasus Spyware: What You Need to Know to Keep Your Organization Protected. Live Webinar. Pegasus is one of the most targeted and persistent spyware ever found on iOS that can completely compromise all communications and activity on a smartphone. Join this webinar to learn how not to fall victim to the Pegasus attack. Register now:



--SANS Network Security 2016 | Las Vegas, NV | September 10-19 | https://www.sans.org/event/network-security-2016

--SANS London Autumn 2016 | London, UK | September 19-24 | https://www.sans.org/event/london-autumn-2016

--Security Leadership Summit & Training | Dallas, TX | September 27 - October 4, 2016 | https://www.sans.org/event/security-leadership-summit-2016

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA | https://www.sans.org/event/seattle-2016

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic | https://www.sans.org/event/dfir-prague-2016

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD | https://www.sans.org/event/baltimore-2016

--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan | https://www.sans.org/event/tokyo-autumn-2016

--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA | https://www.sans.org/event/tysons-corner-2016

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA | https://www.sans.org/event/san-diego-2016

--Pen Test HackFest Summit & Training | November 2-9, 2016 | Crystal City, VA | https://www.sans.org/event/pen-test-hackfest-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016



House Oversight Committee Report on OPM Breach (September 7 and 8, 2016)

According to a report from the US House Oversight and Government Reform Committee, the breach of systems at the Office of Personnel Management (OPM) was due (in large part) to "the longstanding failure of OPM leadership to implement basic hygiene." The report notes that there were two breaches at OPM. The first, which began in November 2013 and was shut down in May 2014, targeted manuals and technical information about the types of data stored in OPM systems. The second breach targeted personally identifiable information, including background investigation data and personnel records. The breaches were likely conducted by cyberespionage groups in China.

[Editor Comments ]

[Murray ]
Perhaps we expect too much from "good hygiene." Perhaps it is time to consider (closed)(single) Application-only systems for most tasks. Perhaps it is time to take the lessons of the closed, single-application-at-a-time, hidden (from the user) file system, architecture of the Apple iOS environment to heart. Contrary to all the alarmist complaints from the geeks as this strategy became apparent, these restrictions have been more security effective and less inconvenient than the geeks would have predicted.
Read more in:
Dark Reading: OPM Breach: Two Waves of Attacks Likely Connected, Congressional Probe Concludes

Ars Technica: Surprise! House Oversight report blames OPM leadership for breach of records

The Register: Read the damning dossier on the security stupidity that let China ransack OPM's systems
US House: The OPM Data Breach: How the Government Jeopardized National Security for More than a Generation (PDF)

White House Names First Federal CISO (September 8, 2016)

The White House has named the first US federal chief information security officer (CISO). Brigadier General (retired) Gregory J. Touhill. US CIO Tony Scott and Special Assistant to the President and Cybersecurity Coordinator J. Michael Daniel wrote in a blog post announcing the appointment that "the CISO will play a central role in helping to ensure the right set of policies, strategies, and practices are adopted across agencies and keeping the Federal Government at the leading edge of 21st century cybersecurity." Grant Schneider has been named Acting Deputy CISO.
Read more in:
Federal News Radio: White House names first federal chief information security officer

ZDNet: White House appoints first Federal Chief Information Security Officer

White House: Announcing the first Federal Chief Information Security Officer

Android Updates Address Nearly 60 Flaws (September 7, 2016)

Google has released updates for Android to fix 57 vulnerabilities, eight of which are rated critical. The patches are grouped into three "security patch level strings" to help manufacturers apply them to their devices.
Read more in:
SC Magazine: Google patches 57 Android vulnerabilities, attempts to resolve Mediaserver attacks

eWeek: Google Fleshes Out Details of Android Nougat Security Enhancements

*************************** SPONSORED LINKS *****************************
1) Don't miss this opportunity for the inside scoop on the latest advanced threat tactics. Register: http://www.sans.org/info/188502

2) Get a greater understanding of OpenSCAP and tools to help apply industry standards to your production servers. Register: http://www.sans.org/info/188512

3) ENDING SOON! "What are your vulnerabilities? Do you even know? Take SANS survey and enter to win a $400 Amazon Gift Card. http://www.sans.org/info/188517


Two Arrested for Allegedly Stealing US Government Officials' Information (September 8, 2016)

US law enforcement authorities have arrested two people who allegedly had roles in the theft and leak of information of more than 29,000 FBI and Department of Homeland Security (DHS) officials. Andrew Otto Boggs and Justin Gray Liverman allegedly used social engineering to gain access to the accounts. Three additional suspects are under investigation in the UK.

[Editor Comments ]

One of the alleged avenues of compromise was a social engineering call to the Department of Justice's helpdesk. This highlights how critical it is to ensure your helpdesk staff are trained on how to spot a social engineering attack and to have robust end user identification processes in place to ensure they are dealing with the authorised owner of the account.
Read more in:
Computerworld: FBI nabs hackers who allegedly dumped details on government agents

Ars Technica: Two men charged with hacking CIA director and other high-ranking officials

Scribd: Affidavit in Support of a Criminal Complaint and Arrest Warrants

New HTTP Warnings in Chrome (September 8, 2016)

Google will start warning users about sites using HTTP rather than HTTPS early next year. When the stable version of Chrome 56 is released at the end of January 2017, the browser will warn users when sites send passwords or payment card data over non-secure, HTTP connections. The warnings are "part of a long-term plan to mark all HTTP sites as non-secure," according to Google's blog post.

[Editor Comments ]

[Ullrich ]
These warnings, which will be displayed in the URL bar, solve a long outstanding problem that. Although SSL errors are very visible to the user, the absence of SSL is not specifically advertised. Attack tools like sslstrip have taken advantage of this flaw, and many phishing sites do not have to bother with setting up SSL. This new indicator should make it easier to educate users to spot insecure sites. But it also puts more pressure on legitimate websites to properly implement SSL.

[Northcutt ]
The security.googleblog.com is the most important link. By phasing the warnings in, they are trying to maintain rapport with rank and file users while raising awareness. Most users will agree that unencrypted credit card fields are a bad idea and they plan to go from there.

[Pescatore ]
I'd rather see Google donate some percentage of its advertising to "public service announcements" working to educate and change user behaviors than add more popups. The browser (and certificate) industry as a whole has failed to educate users on things like what red/green URLs mean or what it means when certificate warning pop up.
Read more in:
Computerworld: Google puts screws to HTTP with new warnings in Chrome

CNET: Chrome to warn when insecure websites expose your passwords

The Register: Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January
Google Blog: Moving towards a more secure web

Xen Project Patches Hypervisor Flaws (September 8, 2016)

The Xen project has released fixes for four vulnerabilities in its hypervisor. Three of the flaws could be exploited to allow guest virtual machines to take control of the host server. The fourth flaw could allow guests to cause crashes.
Read more in:
The Register: Hypervisor security ero-Xen: How guest VMs can hijack host servers

Mac OS X Backdoor (September 8, 2016)

Researchers at Kaspersky Lab have detected a variant of the Mokes malware that targets computers running the Mac OS X operating system. Other versions of Mokes are already known to target Windows and Linux systems. Mokes allows attackers to steal a variety of data from infected machines and can execute arbitrary commands.
Read more in:
ZDNet: Sophisticated Mac OS X backdoor uncovered
Securelist (Kaspersky blog): The Missing Piece - Sophisticated OS X Backdoor Discovered

WordPress Update (September 8, 2016)

WordPress has updated its content management system to version 4.6.1 to address a pair of vulnerabilities. One of the flaws could be exploited in cross-site scripting attacks. The second is a path traversal flaw in the upgrade package uploader. The update also addresses 15 additional issues.
Read more in:
SC Magazine: WordPress update fixes XSS issues
Softpedia: WordPress 4.6.1 Security Update is Out, Time to Update Peeps

WordPress: WordPress 4.6.1 Security and Maintenance Release

St. Jude Suing MedSec and Muddy Water Waters Over Short Sell (September 7, 2016)

St. Jude Medical is suing MedSec and Muddy Waters over "... false statements, false advertising, conspiracy and the resultant manipulation of the public markets." Last month, MedSec and Muddy Waters teamed up to release a report about alleged flaws in some St. Jude medical devices and take financial advantage of a resulting dip in the company's stock price.
Read more in:
ZDNet: MedSec sued over St. Jude pacemaker vulnerability report

Dark Reading: St. Jude Sues Muddy Waters, MedSec

The Register: St Jude sues short-selling MedSec over pacemaker 'hack' report
St. Jude: St. Jude Medical brings legal Action Against Muddy Waters and MedSec

Regmedia: Complaint (PDF)

Researchers Find Indications US State Election Board Attacks May Have Links to Russia (September 6, 2016)

Researchers at ThreatConnect have found that an Internet Protocol (IP) address used in cyberattacks against election boards in Illinois and Arizona was also used in a series of spearphishing attacks against Turkish and Ukrainian government officials and members of the German Freedom Party. The political nature of the phishing targets suggests that it could be a "state-based effort."

[Editor Comments ]

[Assante ]
Another example of why it is important to learn as much as we can from these types of attacks (campaigns to influence, disrupt infrastructure, disrupt government services) from around the world. Ukraine has the unfortunate role of being the bellwether for a particular country's strategic cyber efforts aimed at influencing, strong-arming, and reducing confidence.
Read more in:
Dark Reading: More Signs Point to Russian Cyberspy Connection In State Election Board


Google September Android Security Update

Hard Coded Password / Key Issue Gets Worse

Snagging Credentials From Locked Machines (Windows and OS X)

DShield Blocklist Update

Fortinet FortiWAN Load Balancer Mulitple Unpatched Vulnerabilities

Rapid7 Published NSM Vulnerabilities

OPM Breached by Two Different Attackers

Spikes in SNMP Traffic: Looking for PCAPs

New Version of Wireshark Released

XEN Hypervisor Vulnerabilities

Google Moving Ahead With HTTP Phaseout

Old Windows Media Player DRM Feature Still Used To Install Malware

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create