OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #91

November 15, 2016


Hack the Army Bug Bounty Challenge
Microsoft Moving to Security Portal for Patch Tuesday
FriendFinder Networks Accounts Exposed
HNAP Protocol Flaw in D-Link Routers


BlackNurse Requires Just One Laptop to Launch DDoS
OMB FISMA Memo Clarifies What Constitutes a Major Cyber Security Incident
OMB Releases Federal Website Policy Update
Australian Retailer Acknowledges Inadvertent Data Exposure
UK Approves Lauri Love's Extradition
Linux LUKS Disk Encryption Vulnerability
OAuth Vulnerability May Put Access and Data to a Billion Mobile Apps At Risk



*********************** Sponsored By Sophos Inc. ************************ Don't be a data loss headline! With data hacks getting ever more sophisticated, the best way to avoid being a victim - and a headline - is to secure all of your data, all of the time. Introducing Next-Gen Encryption: stop breaches, collaborate securely and stay compliant. Learn more: http://www.sans.org/info/189767 ***************************************************************************


--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands | https://www.sans.org/event/amsterdam-2016

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017



Hack the Army Bug Bounty Challenge (November 11 & 14, 2016)

The US Army has announced its first "Hack the Army" competition. Much like the "Hack the Pentagon" event that took place earlier this year, participants are invited to search for security issues in specified systems. But unlike the Pentagon's event, which limited the probing to static websites, the army's event will focus on the Army's digital recruiting infrastructure, which includes websites and databases that contain information about applicants and existing personnel. The event is by invitation only.

[Editor Comments ]

[Pescatore ]
Good to see this approach spreading across DoD. Time for the civilian side of the federal government to follow suit.

[Murray ]
Very clever, not to say cunning. Many hackers are more motivated by ego than dollars. The hackers will be exposed to the recruiting content. Some talent may be identified.

Read more in:

Dark Reading: US Army Challenges Security Researchers To 'Bring It On'

Wired: The US Military Launches "Hack the Army," its Most Ambitious Bug Bounty Yet

Microsoft Moving to Security Portal for Patch Tuesday (November 14, 2016)

Starting next year, Microsoft will change the format for its monthly security bulletins. The index of static documents will be replaced with a database-driven portal called the Security Updates Guide. The portal is currently in preview; bulletins for November 2016, December 2016, and January 20176 will be published in both formats; starting with February's updates, patch information will be available only through the Security Updates Guide.

[Editor Comments ]

[Ullrich ]
About time. Microsoft security bulletins have become very hard to parse given the large number of Windows versions and configuration options they cover. Maybe Microsoft will even offer a standard parsable format (XML...)

Read more in:

ZDNet: Patch Tuesday overhaul: Microsoft to replace security bulletin index with database-driven portal

FriendFinder Networks Accounts Exposed (November 13 & 14, 2016)

Hundreds of millions of users accounts for FriendFinder Networks have been compromised in an attack. The attack is believed to have occurred in October. It appears that the breach included information for deleted accounts as well as for active ones. The attack compromised nearly all account passwords.

[Editor Comments ]

[Williams ]
Perhaps the most concerning aspect here is that "deleted" accounts were also compromised. This announcement comes on the heels of discovering that Ashley Madison wasn't actually deleting accounts, either. If you store customer data, ensure you are telling the truth when you tell them their data is deleted.

Read more in:

Computerworld: Biggest hack of 2016: 412 million FriendFinder Networks accounts exposed

ZDNet: AdultFriendFinder network hack exposes e412 million accounts

HNAP Protocol Flaw in D-Link Routers (November 11, 2016)

The US CERT has issued an advisory warning of an HNAP-parsing vulnerability in D-Link routers. The flaw could be exploited to allow "a remote, unauthenticated attacker ... to execute arbitrary code with root privileges." The CERT advisory lists D-Link routers known to be affected (DIR-823, DIR-822, DIR-818L(W), DIR-895L, DIR-890L, DIR-885L, DIR-880L, and DIR-868L). D-Link has issued fixes for some of the affected products. The researcher who found the vulnerability says other devices could be affected as well.

[Editor Comments ]

[Ullrich ]
I do not believe there is any home/SMB router that is free of vulnerabilities in its admin interface. Do not provide access to the admin interface from outside your network, and if you have to, then lock it down as best you can with firewall rules. A strong password will not protect you against flaws like this one that do not require authentication.

[Williams ]
HNAP is, thankfully, falling out of favor. For perspective, while the security bulletin says this is "remotely exploitable," it means exploitable from the LAN only. D-Link routers ship with WAN administration disabled and HNAP should not be accessible from the WAN interface.

Read more in:

Computerworld: Another HNAP flaw in D-Link routers

CERT: D-Link routers HNAP service contains stack-based buffer overflow

D-Link: Support Announcement: HNAP stack overflow

*************************** SPONSORED LINKS *****************************

1) Watch Splunk experts discuss real-world examples of Splunk Enterprise Security frameworks, and also demo these frameworks. Join now! http://www.sans.org/info/189772

2) Everything you wanted to know about Security Information and Event Management (SIEM) but were afraid to ask. Get your copy of the Beginnerx92s Guide to SIEM now. http://www.sans.org/info/189777

3) This Friday in DC: SANS Federal Government Cyber Security Briefing: How to Avoid Being the Next Agency to Announce a Major Breach. Learn More: http://www.sans.org/info/189782



BlackNurse Requires Just One Laptop to Launch DDoS (November 12 & 14, 2016)

A technique known as BlackNurse allows an attacker to knock enterprise firewalls offline using a single laptop. With traffic volumes of just 15 megabits per second, the attack uses an Internet Control Message Protocol (ICMP) packet stream, Type 3, Code 3, (Destination unreachable, Port unreachable), to overwhelm the CPU resources of the targeted system.

[Editor Comments ]

[Ullrich ]
The correct stateful processing of ICMP error messages has always been tricky, and can cause some CPU load. The simplest defense is to selectively block these messages. It used to be possible/advisable to block all ICMP messages. But with modern operating systems relying more and more on Patch MTU discovery (PMTU), in particular fragmentation required messages should not be blocked.

[Northcutt ]
For 20 years best practice has been not to let ICMP in or out of an organization's autonomous system. ISPs should consider limiting it on the backbone, only allowing what they need to provide service, and then filtering it upstream of the customer. SANS has provided a .pdf handout for years so analysts don't have to memorize what Type 3, Code 3 references. Also, here is the blog post the stories are based on:



Read more in:

Computerworld: DoS technique lets a single laptop take down an enterprise firewall

Ars Technica: New attack reportedly lets 1 modest laptop knock big servers offline

OMB FISMA Memo Clarifies What Constitutes a Major Cyber Security Incident (November 14, 2016)

Earlier this month, the US Office of Management and Budget (OMB) released its 2017 FISMA Guidance to government agencies. The newest version of the document defines a major cyber incident as "any incident that is likely to result in demonstrable harm to the security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people." Major cyber incidents must be reported to Congress.

[Editor Comments ]

[Pescatore ]
The guidance defines any breach that exposes records of more than 100,000 to be a Major Breach, even if the other requirements are not met. It is hard to quantify what would be the right level, but 100,000 records seems high to me. The guidance also requires use of the NCCIC Cyber Incident Scoring System, which is new, but it would be good to see standardization in reporting - kinda like CVSS. I also noticed, agency annual reports now go to at least *8* separate government agencies or committees...

Read more in:

Federal News Radio: OMB tries again to define a major cyber incident

FCW: White House tweaks incident reporting in FISMA memo

White House: OBM Memo: Fiscal Year 2016-2017 Guidance on Federal Information Security and Privacy Management Requirements

OMB Releases Federal Website Policy Update (November 11, 2016)

The US Office of Management and Budget updated policy for federal agencies' public-facing websites addresses accessibility, security, and functionality. The policy requires agencies to ensure their websites are accessible from a variety of devices. It also calls for agencies to establish basic website and digital services governance and treat the sites and services as part of their mission.

[Editor Comments ]

There is a strong focus on privacy but the security section just points to OMB A-130 and NIST's 800-44 from 2007. 800-44 barely mentions application security. I'd like to see modern guidance requiring all web code be tested before Authority to Operate, and after every change, once operational. The Pentagon's "Hack the Pentagon" program is a great example of the latter; there are many examples of success stories for pre-release application security testing.

Read more in:

FCW: OPM updates 12-year-old federal website policy

White House: OMB Memo: Policies for Federal Agency Public Websites and Digital Services

Australian Retailer Acknowledges Inadvertent Data Exposure (November 14, 2016)

Australian retail company Big W says that a technical issue caused online shopping checkout screens to be pre-populated with other customers' personal information. The problem occurred last week and has been resolved. Big W is contacting affected customers and has notified the Office of the Australian Information Commissioner's privacy commissioner.

Read more in:

ZDNet: Big W confirms customer data exposure

UK Approves Lauri Love's Extradition (November 14, 2016)

The UK Home Secretary has signed an extradition order for Lauri Love, who is facing charges in the US for allegedly breaking into government and military computer systems and stealing information. Love has been fighting his extradition for several years, citing concerns that he would not face a fair trial in the US. Love is likely to seek permission to appeal the extradition decision to the UK's high court.

Read more in:

Computerworld: U.K. approves hacker's extradition to the U.S.

The Register: UK Home Secretary signs off on Lauri Love's extradition to US

Linux LUKS Disk Encryption Vulnerability (November 15, 2016)

A vulnerability in the way some Linux distributions implement Linux Unified Key Setup-on-disk format (LUKS) hard disk encryption could be exploited to copy, modify, or destroy hard disks. The issue lies in the Cryptsetup default configuration file. It could also allow attackers to exfiltrate data.

[Editor Comments ]

[Williams ]
This is only a local exploit with no opportunity for remote exploitation. Many have noted that this trivial-to-exploit vulnerability impacts only those who tried to be secure using LUKS, but without LUKS was already vulnerable to physical attacks anyway. The real story here is that while open source is supposed to prevent trivial vulnerabilities like this (with many eyes on the code), it clearly doesn't. As one reporter noted, "open source only works if you actually read the code" - a task that is exceeds the skill of most users.

Read more in:

ZDNet: Major Linux security hole gapes open

OAuth Vulnerability May Put Access and Data to a Billion Mobile Apps At Risk (November 10, 2016)

Researchers from The Chinese University of Hong Kong released a report asserting OAuth 2 vulnerability claim of a billion exposed mobile apps through a problem with OAuth 2. This has the potential to impact Facebook, Google and Sina users.

[Editor Comments ]

[Guest Editor David Hoelzer ]
When I first saw that I thought, "uh oh. OAuth is broken?!?" Having read it it turns out to be yet another example of programmers making terrible decisions, bad assumptions and taking shortcuts. However, SANS.EDU faculty member Stephen Northcutt is building a graduate student project around the report. If you know of an open source mobile app that uses OAuth 2, please send a link to stephen@sans.edu.

Read more in:





EMET Will Defeat Shell Code Executing Inside Word

Bitcoin Miners Distributed via FTP Exploits

5 Russian Banks Suffer DoS Attack

Wifi May Reveal Mobile Phone Passwords

Indictment for the theft of FIFA Game Coins

Crysis Ransomware Master Encryption Key Released

Adult Friend Finder Breached

Lightbulb Web Application Firewall Auditing Framework

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board