Ending Soon! Get an iPad Air with Smart Keyboard, or Surface Go, or $300 Off with Online Training through Aug 21!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #75

September 20, 2016

Melp recognize "unsung heroes of cybersecurity" - inside your own organization, or outside - so others may learn from their successes. Please nominate people and/or teams for the 2016 Security Difference Makers Awards. Recipients will be recognized on December 13 in Washington, DC. Choose people who deserve recognition for making meaningful progress in cybersecurity either by increasing security levels or by using security controls and processes to enable new business success. Send nominations to trends@sans.org. Deadline: October 7. Full details on how to nominate at http://www.sans.org/cyber-innovation-awards


UK Moves Toward Active Cyber Defense
Windows Patch Distribution Changes Coming Next Month
FBI Wants Ransomware Victims to Report Incidents


U.S. Small Business Cyber Security Act
NIST Seeking Industry Comments on Security Reports
Industrial Internet Consortium IoT Framework
Mozilla Will Patch Malicious Code Execution Flaw in Firefox
Cisco Will Patch IKEv1 Flaw
Cisco Patches WebEx Flaw
FBI May Pursue Indictment of Russian Hackers
Possible Method For Breaking Apple iPhone Encryption



*********************** Sponsored By Sophos Inc. **********************

With ransomware making headlines for all of the wrong reasons, the pressure is on to put together a top of the line defense. Starting from scratch can be tough, so head to the Sophos Anti-Ransomware Hub and get resources that help you better understand the threat and choose the best possible security solution. Learn More: http://www.sans.org/info/188582



--Security Leadership Summit & Training | Dallas, TX | September 27 - October 4, 2016 |

--SANS Seattle 2016 | October 3-8, 2016 | Seattle, WA |

--SANS DFIR Prague 2016 | October 3-15, 2016 | Prague, Czech Republic |

--SANS Baltimore 2016 | October 10-15, 2016 | Baltimore, MD |

--SANS Tokyo Autumn 2016 | October 17-29, 2016 | Tokyo, Japan |

--SANS Tysons Corner 2016 | October 22-29, 2016 | Tysons Corner, VA |

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |

--Pen Test HackFest Summit & Training | November 2-9, 2016 | Crystal City, VA |

--Healthcare Cybersecurity Summit & Training | November 14-21, 2016 | Houston, TX |

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC |

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA |


UK Moves Toward Active Cyber Defense (September 13 & 16, 2016)

Ciaran Martin, Director general Cyber at Government Communications Headquarters (GCHQ) and chief executive of the National Cyber Security Centre (NCSC), said at the Billington Cyber-Security Summit in Washington, DC that GCHQ is moving toward "active cyber defence." The approach means not only "disruptive and potentially lawfully governed defensive capabilities," but also "where the government takes specific action with industry to address large-scale, non-sophisticated attacks that are doing so much damage." GCHQ also plans to work with Internet service providers (ISPs) to use DNS filters to help thwart cyberattacks. Citizens will likely be permitted to opt out of DNS filtering.

[Editor Comments ]

[Assante ]
The United Kingdom continues to seek innovation and provide leadership in the challenging space of industry and government cooperation. The recognition that there are things the government should be doing to reduce the opportunity for cyber attackers is an important one. One final note, the "active defense" definition applied here is an expansion of the term.

[Honan ]
While on the surface this may appear to be a good idea, I hope that there will be proper checks and balances, and transparency as to what sites and traffic get blocked.

[Pescatore ]
By "Active Defence" the UK is *not* talking about strike-back. What they are talking about is in this sentence from Ciaran Martin, Director-General Cyber GCHQ's talk: "...we are looking at using a series of automated measures aimed at making UK Government networks the most secure in the world. If some of them work, we hope others will adopt them. " This is a VERY good thing. Then, even better, he adds some concrete examples like government implementation of DMARC policy on government email. Back in 1998, in PDD 63 the US had similar talk: "The Federal Government shall serve as a model to the private sector on how infrastructure assurance is best achieved and shall, to the extent feasible, distribute the results of its endeavors." The US never matched the talk with action to obtain meaningful improvement in the security of federal systems, as many recent events have shown. Maybe 18 years later, the UK government actions will spur US to follow.
Read more in:
The Register: National Cyber Security Centre to shift UK to 'active' defence
SC Magazine UK: GCHQ planning use of DNS filters to curb cyber-attacks

CESG: A new approach for cyber security in the UK (Transcript of Martin's speech)

Windows Patch Distribution Changes Coming Next Month (September 19, 2016)

Starting next month, Microsoft will change how some of its patches for Windows are delivered. Starting October 11, updates for Windows 7 and Windows 8.1 will be cumulative, No more individual patches. Updates will be delivered as a monthly roll-up or a security-only update. Users running Windows Update will automatically default to the monthly roll-up option. Organizations running Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) can choose either option. Fixes for Internet Explorer (IE) will not be included in the cumulative updates; IE patches will still be delivered separately. (IE 11 is the only version of the browser that Microsoft is currently supporting for Windows 7 and 8.1.) Windows Vista and Server 2008 will continue to receive granular updates.

[Editor Comments ]

[Pescatore ]
The Windows 10 practice of bundling security patches with functionality updates is *not* a good thing. It is sort of like Oracle and Adobe constantly trying to trick users into installing applications just to get the patches. Bundling all security patches into one mega-patch for Win 7/8 isn't necessarily a bad thing, if Microsoft can significantly raise the bar on the quality of its patch releases over recent release.

[Assante ]
This change may help many enterprises streamline their patch management, but it may also add tremendous challenges for North American Bulk Electricity System entities needing to comply with NERC CIP-007-6 R2 Security Patch Management Requirements. Learn more from our Blog:

Read more in:
Computerworld: Microsoft won't bundle IE patches with new cumulative updates for Windows 7 and 8.1

Microsoft: Further simplifying servicing models for Windows 7 and Windows 8.1

FBI Wants Ransomware Victims to Report Incidents (September 16, 2016)

The FBI is asking organizations and individuals that are victims of ransomware to share that information. "Knowing more about victims and their experiences with ransomware will help the FBI determine who is behind the attacks and how they are identifying or targeting victims."

[Editor Comments ]

[Henry ]
Jadee Hanson, Code42's director information security, said "The latest FBI's recent plea for ransomware victims to report incidents is almost unprecedented." "The security industry appreciates the FBI's request for more information on ransomware attacks. But the ask is akin to reporting a car break in - there is little chance of recovering what's been lost." I don't agree; the FBI routinely asks the public for information about various types of crimes and attacks, in both the physical and the digital world. We saw this just yesterday with the arrest related to the bombing in New York City. That model...collection of intelligence from the private sector....is valuable if the actionable intelligence is collected which allows the FBI to gain a better understanding of the adversaries and their tactics. It also offers a better opportunity for attribution and, ultimately, mitigation. The private sector's unwillingness or inability to share creates a critical blind spot, and contributes to both the proliferation and persistence of the threat.

[Honan ]
Readers outside of the US: please take the time to report instances of ransomware to your local law enforcement. It is through sharing information and intelligence that we as a global community can put those responsible for cybercrime behind bars.
Read more in:
SC Magazine: FBI asks ransomware victims to come forward

FBI PSA: Ransomware Victims Urged to Report Infections to Federal Law Enforcement
KrebsonSecurity: Ransomware Getting More Targeted, Expensive

*************************** SPONSORED LINKS *****************************

1) The End of Ransomware: Everything you need to know to stop ransomware. Learn more: http://www.sans.org/info/188602

2) Monitoring the Most Interesting Network in the World: Insights from the Black Hat NOC. Register: http://www.sans.org/info/188592

3) Walk through understanding the Security Content Automation Protocol and tools to help apply industry standards to your production servers. Register: http://www.sans.org/info/188597



U.S. Small Business Cyber Security Act (September 19, 2016)

US legislators in the House of Representatives are scheduled to vote on an amendment to the Small Business Act that will provide more cybersecurity services to small businesses through small business development centers. The Small Business Administration would be responsible for increasing the centers' offerings according to strategy it would develop with the US Department of Homeland Security (DHS). The Improving Small Business Cyber Security Act is slated for a vote on Wednesday, September 21.

[Editor Comments ]

[Henry ]
One of the biggest gaps I see in cybersecurity is the inability of small businesses to obtain adequate technology and expertise to counter this threat. I applaud DHS's initiative here, and I'd be interested to see what active monitoring or intelligence sharing programs they can share that go beyond merely "education." That sounds like a much longer and exhaustive process.
Pescatore ]
I've learned a trick in reading and analyzing these "Cybersecurity Improvement" pieces of legislation that I call YAUM analysis, and it applied to this one. The key phrase to look for is found at the very end of the draft amendment: "No additional funds are authorized to be appropriated to carry out the requirements of this Act or the amendments made by this Act. " I call this Yet Another Unfunded Mandate (YAUM) - nice talk, doesn't support the walk.
Read more in:
The Hill: House to vote on cyber bill for small business

US House: Text of Bill

NIST Seeking Industry Comments on Security Reports (September 19, 2016)

The US National Institute of Standards and Technology (NIST) is seeking industry comment on two draft reports on cybersecurity issues pertinent to the Internet of Things (IoT). The first report concerns a proposed manufacturing profile for the NIST Cybersecurity Framework. The comment deadline for the draft profile is November 4, 2016. The second report is a NIST internal report concerning cryptographic standards and "practices for resource-constrained processors." NIST plans to host a Lightweight Cryptography Workshop on October 17-18, 2016.
Read more in:
EE Times: NIST Seeks Comments on Cybersecurity Reports
NIST: Cybersecurity Framework Manufacturing Profile (PDF)

NIST: Report on Lightweight Cryptography (PDF)


Industrial Internet Consortium IoT Framework (September 19, 2016)

The Industrial Internet Consortium (IIC) has published the Industrial Internet Security Framework (IISF). The document lays out best practices for developers and users. It also aims to build consensus among organizations developing and using IoT devices and provide a common language for talking about IoT. IIC members include Bosch, IBM, Intel, NIST, Siemens, and MIT.

[Editor Comments ]

[Assante ]
This is a comprehensive resource that paints a picture of a utopian world to achieve. Readers find themselves becoming more excited as they turn each page, but there is something tugging away at that excitement. With so many solid ideas, why is today's reality so disappointing if it is in every stockholder's interest to pursue the suggested framework? I enjoyed the principles section and would like to see more system-of-systems and engineering principals included as well!
Read more in:
Computerworld: Industrial IoT inches toward consensus on security

IIConsortium: Industrial Internet Security Framework Technical Report
IIConsortium: IIC Website

Mozilla Will Patch Malicious Code Execution Flaw in Firefox (September 16 & 18, 2016)

Mozilla says it will fix a vulnerability in Firefox that could be exploited to conduct man-in-the-middle attacks. The attack would require obtaining a valid certificate for addons.mozilla.org, which while a daunting task for most individuals, is "within the reach of powerful adversaries such as nation states." Mozilla will release the Firefox update on Tuesday, September 20. The same flaw was patched in the Tor browser last week.
Read more in:
Ars Technica: Mozilla plans Firefox fix for same malware vulnerability that bit Tor

The Register: Mozilla will patch zero-day Firefox bug to fiddle man-in-the-middle diddle www.theregister.co.uk/2016/09/18/mozilla_tor_flaws/
Tor Project: Tor Browser 6.0.5 is released, he same flaw was patched in Tor last week.

Cisco Will Patch IKEv1 Flaw (September 19, 2016)

Cisco will release patches for an information disclosure vulnerability in Internet Key Exchange version 1 (IKEv1) packet processing code that affects multiple Cisco products. The flaw could be exploited to "allow an unauthenticated, remote attacker to retrieve memory contents." The vulnerability is believed to be similar to one used in an exploit from a cyberespionage group with links to the US National Security Agency (NSA). There are currently no workarounds available.
Read more in:
Computerworld: Cisco patches Equation Group exploit

Cisco: IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products

Cisco Patches WebEx Flaw (September 16, 2016)

Cisco has released a patch to fix a vulnerability in its WebEx Meetings Server that could be exploited to execute arbitrary commands on WebEx servers. There are no workarounds for the flaw; administrators are urged to apply the patch.
Read more in:
The Register: Cisco drops patch for nasty WebEx remote code execution hole
Cisco: Cisco WebEx Meetings Server Remote Command Execution Vulnerability

FBI May Pursue Indictment of Russian Hackers (September 15, 2016)

The FBI is trying to gather sufficient evidence to pursue indictments against Russian hackers who are allegedly responsible for stealing data from the DNC and other organizations. One US official noted that "Doing nothing is not an option, because that would telegraph weakness and just encourage" more of the same activity.
Read more in:
Reuters: FBI trying to build legal case against Russian hackers: sources

Possible Method For Breaking Apple iPhone Encryption (September 19, 2016)

Cambridge UK Research Associate Sergei Skorobogatov demonstrated a NAND attack against the chip containing the PIN of an Apple iPhone 5c. Using low cost hardware he was able to brute force the entire 4 digit PIN space in 24 hours. This provides an elegant solution to the so called Rizwan Syed Farook, (California ISIS shooter), problem.


Read more in:






Cisco Issues Advisories for IKEv1 "heartbleed like" Vulnerability

Intercepting OS X Passwords

Vulnerabilities Introduced By Converting 32 Bit to 64 Bit

HSTS Preload Database and Webservices

Taking Over Facebook Pages

Exchange Auto-Discovery Vulnerability

Spyware Apps Targeting Travelers Removed From Goolge App Store

Firefox Will Patch HSTS Vulnerability

The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create