OnDemand SME Support = Get Your Questions Answered! Get an iPad mini, Surface Go 2, of $300 Off Now

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #99

December 16, 2016


One Billion Yahoo Accounts Breached in Separate 2013 Attack
Republican National Committee Dodged "Less Aggressive" Version Of Cyber Attack That Penetrated DNC
US Election Assistance Commission Breached


Netgear Router Fix is Simple/Not Simple
New Site Checks News and Media Sites' Use of Encryption
Third Man Arrested in JPMorgan Breach
ESET: Attacks Targeting Ukrainian Banks Bear Similarities to Last Years Power Station Attacks
Filmmakers and Photojournalists Want Encrypted Cameras
Microsoft Releases 12 Security Bulletins; Separately, Fixes DHCP Issue
Adobe Releases Fixes for Flash and Other Products
Edge Will Push Flash to the Sidelines
Google Publishes 21 National Security Letters



*********************** Sponsored By Carbon Black ************************

Antivirus is not dead, but it is being replaced with Next Gen Antivirus that goes far beyond signatures and heuristics to detect specific patterns of tactics, techniques and procedures. But replacing antivirus isn't easy. Registrants that download this SANS Guide http://www.sans.org/info/190947 between now and December 24th, 2016 will be entered in a drawing for a complementary SANS Course of your choice sponsored by Carbon Black (Travel & hotel expenses not included)


--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017

--SANS Online Training Get a MacBook Air or PC Laptop with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training: SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/



One Billion Yahoo Accounts Breached in Separate 2013 Attack (December 14, 2016)

Yahoo has disclosed yet another breach of user accounts; this incident occurred in August 2013 and affected more than one billion accounts. The "incident is likely distinct from" the breach acknowledged earlier this year regarding the compromise of 500 million accounts. Yahoo has said that the attackers may have found a way to breach the accounts by stealing the company's proprietary source code and using it to forge authentication cookies.

[Editor Comments ]

[Pescatore ]
Yahoo has pretty much joined Adobe Flash in the "Cybersecurity Justin Bieber" club: you know whenever they are in the news, it is going to be because they screwed up yet again. Two lessons to learn here: (1) Failing to protect users today is a big aspect of failing in your market - others like Google Mail and Microsoft/Hotmail avoided or limited the scope of similar attacks and gained market share; and (2) Boards of Directors and CEOs take note: Yahoo's acquisition by Verizon is not going to happen or will be for a much lower value. Both (1) and (2) show that cybersecurity competency is directly tied to shareholder value.

[Williams ]
I'm less concerned with how the attack occurred and more concerned with the impact. Yahoo was reportedly storing passwords using MD5 hashes and there is no mention of any salt. Attackers may also have accessed plaintext answers to security questions, placing users who use the same security questions and answers across multiple sites at risk. Now is a great time to remind users that security questions should also be site specific.

[Northcutt ]
The largest data breach known to date just got larger. I have tried to keep all the relevant data about the Yahoo breaches and the impact on the potential Verizon acquisition in one file. If I am missing anything relevant, please shoot me a note to stephen@sans.edu. You are security people so you know this, but make sure to tell your mothers, neighbors and so forth that if they had a Yahoo account, be sure not to use that password on any other system.


Read more in:

Wired: Hack Brief: Hackers Breach a Billion Yahoo Accounts. A Billion

The Register: Yahoo! says! hackers! stole! ONE! BEELION! user! accounts!

ZDNet: Yahoo hacked again, more than one billion accounts stolen

KrebsOnSecurity: Yahoo: One Billion More Accounts Hacked

Republican National Committee Dodged "Less Aggressive" Version Of Cyber Attack That Penetrated DNC (December 16, 2016)

Russian hackers tried to penetrate the computer networks of the Republican National Committee, using the same techniques that allowed them to infiltrate its Democratic counterpart, according to U.S. officials who have been briefed on the attempted intrusion. But the intruders failed to get past security defenses on the RNC's computer networks, the officials said. And people close to the investigation said it indicated a less aggressive and much less persistent effort by Russian intelligence to hack the Republican group than the Democratic National Committee.

US Election Assistance Commission Breached (December 15, 2016)

Login credentials for the US Election Assistance Commission have been found for sale on the black market. The organization is responsible for certifying voting machine security in the US. Some of the sets of credentials have high levels of administrative privileges. Initial analysis indicates that the person responsible for the breach is Russian.

Read more in:

CNET: US election agency breached by suspected Russian hacker

Recorded Future: Russian-Speaking Hacker Selling Access to the US Election Assistance Commission

*************************** SPONSORED LINKS *****************************

1) In case you missed it: Cyber Threat Intelligence: Hurricanes and Earthquakes. Get the archive: http://www.sans.org/info/190952

2) Looking for a solution to your security issue? Visit the SANS Affiliate Directory for a list of vendors who may be able to help! http://www.sans.org/info/190962

3) Cyber Threat Intelligence Survey - Take the SANS 2017 Cyber Threat Intelligence Survey and enter to win a $400 Amazon Gift Card! http://www.sans.org/info/190967



Netgear Router Fix is Simple/Not Simple (December 13 & 15, 2016)

A flaw in Netgear routers can be and is being exploited to gather them into botnets. While the flaw is severe, it is "not that hard to fix at all," according to Andrew Rollins, who detected the issue, getting the fix out to the devices is not easy. Netgear has released beta fixes for certain models, but they have not been fully tested. Users will need to apply the firmware updates themselves, as Netgear does not have a mechanism in place for pushing out fixes. Rollins reported the flaw to Netgear in August. After not hearing from the company for three months, he disclosed the flaw. CERT has issued an advisory, which notes that the flaw is trivial to exploit and suggests "discontinuing use of affected devices until a fix is made available."

[Editor Comments ]

[Murray ]
Few owners of these routers will ever even become aware of this vulnerability, much less remediate it. Routers are particularly troubling "things" because many must be addressable from the public networks and, while not necessary, it is convenient for them to be managed from the public networks. While Netgear has been criticized for not having a "push" remedy for this vulnerability, such capabilities, where they exist, necessarily increase the attack surface of the device. Moreover, many implementations of such capabilities have introduced vulnerabilities (e.g., hard-coded passwords) worse than any they might remediate.

[Williams ]
This is typical of IoT update issues and the challenges they represent. Unlike operating systems and consumer software, users are unlikely to patch vulnerable IoT devices, especially when updates risk rendering the device permanently inoperable. Manufacturers of network connected consumer devices largely have one chance to get their software right. For this reason, the adoption of secure SDLC (secure software development life cycle) is absolutely paramount with these devices.

Read more in:

Wired: A Ton of Popular Netgear Routers are Exposed - With No Easy Fix

CERT: Multiple Netgear routers are vulnerable to arbitrary command injection

SC Magazine: Netgear releases patches for publicly known critical flaw

Netgear: Security Advisory for VU 582384

New Site Checks News and Media Sites' Use of Encryption (December 15, 2016)

A new website launched by the Freedom of the Press Foundation (FPF), scans media websites and checks for their use of encryption, including their support of HTTPS. FPF's Secure the News project checks to see if the sites implement encryption by default and whether the sites are susceptible to HTTPS downgrade attacks, in which browsers are tricked into downloading unencrypted versions of the site. Such attacks can be guarded against through the use of the HTTPS Strict Transport Security (HSTS) feature. At the time the Wired article was published, just four of the 104 sites listed received an A while 75 received Ds and Fs.

Read more in:

Wired: "Secure the News" Grades Media Sites on HTTPS - and Most Fail

Third Man Arrested in JPMorgan Breach (December 14 & 15, 2016)

Federal officials in the US have arrested Joshua Samuel Aaron, who allegedly played a role in an attack on systems at JPMorgan Chase and other banks, brokerage firms, and financial news publishers. Aaron, along with two other men who have already been arrested, allegedly stole personally identifiable information belonging to 83 million bank customers. Aaron faces charges of securities fraud, wire fraud, computer hacking, and identity theft.

Read more in:

SC Magazine: Feds nab alleged JPMorgan hacker

US Dept. of Justice: Manhattan U.S. Attorney Announces Arrest Of Defendant Charged With Participation In Massive Hacks Into U.S. Financial Institutions

ESET: Attacks Targeting Ukrainian Banks Bear Similarities to Last Years Power Station Attacks (December 13 & 15, 2016)

Cybercriminals launching attacks against Ukrainian financial entities and infrastructure over the past few months are using methods and tools very similar to those used by the group that launched attacks on Ukrainian power system a year ago. The group behind the recent financial intrusions has been dubbed TeleBots. Both groups used spear phishing emails with Microsoft Excel attachments containing malicious macros for initial infections.

[Editor Comments ]

[Williams ]
Campaign attribution is difficult. Here the components for attribution seem to be the use of macros delivered with Excel and the use of Black Energy. Many groups use macro files delivered with Excel and the source code for Black Energy has been sold repeatedly on the black market.

[Assante ]
This fresh wave of cyber attacks are good examples of the rising trend of attacks meant to destroy data and damage cyber assets. Cyber sabotage is becoming a common tool raising appropriate fears that the world is far from establishing cyber norms.

Read more in:

The Register: BlackEnergy power plant hackers target Ukrainian banks

SC Magazine: Telebots cybergang toolset reminiscent of BlackEnergy

ESET: Report: The rise of TeleBots: Analyzing disruptive KillDisk attacks

Filmmakers and Photojournalists Want Encrypted Cameras (December 14, 2016)

More than 150 documentary filmmakers and photojournalists have signed an open letter from the Freedom of the Press Foundation asking camera makers to add encryption to the still photo and video cameras so that if the devices are stolen or seized by authorities, they will not immediately offer up sensitive information. Most smartphones encrypt stored data by default, and encrypted storage software is readily available for PCs, but cameras lack similar protections.

[Editor Comments ]

[Pescatore ]
This is a great idea. Nice niche for a startup if the camera makers move too slowly and the Freedom of the Press Foundation would have more impact making sure reporters, photographers and media outlets encrypted all stored information vs. the SSL checking site mentioned above.

Read more in:

Wired: 150 Filmmakers Ask Nikon and Canon to Sell Encrypted Cameras

The Register: Give us encrypted camera storage, please - filmmakers, journos

CNET: Filmmakers and journalists to camera makers: Add encryption

Microsoft Releases 12 Security Bulletins; Separately, Fixes DHCP Issue (December 14, 2016)

On Tuesday, December 13, Microsoft released 12 bulletins addressing a bevy of vulnerabilities in its Edge and Internet Explorer browsers, Windows, Office, and the .NET Framework. Microsoft also released a security update that fixes a problem with an earlier update that appeared to break the Dynamic Host Configuration Protocol (DHCP) and prevented some users' computers from connecting to the Internet.

Read more in:

The Register: Reschedule the holiday party, Patch Tuesday is here and it's a big one

NetworkWorld: Dec. 2016 Patch Tuesday: Microsoft releases 12 security bulletins, 6 rated critical

Microsoft Technet: Microsoft Security Bulletin Summary for December 2016

ZDNet: Windows 10: Microsoft fixes bug that blocked PCs from the internet

Ars Technica: Windows 10 update broke DHCP, knocked users off the Internet

Adobe Releases Fixes for Flash and Other Products (December 14, 2016)

Adobe has released a security update to fix 17 flaws in Flash Player. Sixteen of the vulnerabilities are rated critical, and one of those is being actively exploited. Windows, macOS and Linux users should update to Flash version Flash that comes bundled with Google Chrome and with Internet Explorer for Windows 8.1 and Windows 10 will be updated automatically. Adobe has also released updates for eight other products, including critical flaws in DNG Converted and InDesign.

Read more in:

Computerworld: Adobe fixes critical flaw in Flash Player

KrebsOnSecurity: New Critical Fixes for Flash, MS Windows

Edge Will Push Flash to the Sidelines (December 14, 2016)

The next version of Microsoft's Edge browser will by default make Flash Player click-to-run. The feature will be present in Insider Preview builds and in the Windows 10 Creators Update scheduled for release in Spring 2017. Edge will instead default to HTML5 content when available. Google is adopting a similar policy for its Chrome browser.

[Editor Comments ]

[Murray ]
"Spring 2017" will make seven years since Steve Jobs' "Thoughts on Flash." Hundreds of patches later, Flash remains the Achilles Heel of the desktop browser, not to say of the Internet. Jobs was roundly criticized for his decision but he has certainly been vindicated. The money spent patching Flash might well buy Adobe. The persistence of Flash remains a mystery to me. Safari on my iPad does not support it and I have not missed it. (Microsoft's) commitment to backwards compatibility makes security late and expensive.

Read more in:

ZDNet: Microsoft to disable most Flash content in its Edge browser

Ars Technica: Flash will become click-to-run in Edge, Chrome in 2017

Google Publishes 21 National Security Letters (December 13 & 14, 2016)

Google has released the content of eight National Security letters it received from the FBI between 2010 and 2015. In October, Google received permission from the FBI to publish the documents, which were all accompanied by gag orders when originally issued. The eight letters request information from a total of 21 accounts.

Read more in:

Christian Science Monitor: Google published national security letters after US lifts gag order

Computerworld: Google publishes national security letters

Google Blog: Sharing National SecnDearurity Letters with the public


Microsoft Patch Tuesday + Adobe Flash

Apple Updates

More Netgear Products Vulnerable; Beta Patch Available

iOS Profile Vulnerability PoC Available

Malicious JavaScript Bypasses UAC

Skype Unauthorized API Access Blocked

Facebook Announces Certificate Transparency Monitoring Tool

Another Tor Browser (and Firefox) Bug Fixed

Cheap Android Phones Arrive with Malware Preinstalled

Exploit for Nagios

Domain Cops Malware Analysis

OS X Filevault Password Retrieval

QEMU/Xen Vulnerability

DNS Changer Attacking Home Routers

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board