viernes, 15 de julio de 2016

SANS NewsBites Vol 18, July 15, 2016

SANS NewsBites - Annotated News Update from the Leader in Information Security Training, Certification and Research
July 15, 2016               Vol. 18, Num. 056
Top of The News
  • HIPAA Guidance on Reporting Ransomware
  • FDIC Systems Intrusions Not Reported
  • Fiat Chrysler Announces Bug Bounty Program
The Rest of the Week’s News
  • US Appeals Court Sides with Microsoft in Ireland Server Case
  • Clock-Based Intrusion Detection for Automobile Systems
  • Fixes Available for Drupal Remote Code Execution Flaws
  • Locky Ransomware Encrypts Files Even When Computers are Offline
  • Juniper Patches for Junos OS
  • Four-Year Prison Sentence for Conspiracy to Steal Defense Data
  • Malware Found on European Energy Company System
  • Patch Tuesday: Microsoft and Adobe
Cybersecurity Training Update

SANS Minneapolis 2016 | July 18-23

SANS San Antonio | July 18-23

ICS Security Training | Houston, TX | July 25-30

SANS Boston 2016 | August 1-6

SANS Vienna | Vienna, Austria | Aug 1-6

Security Awareness Summit & Training
San Francisco, CA | August 1-10

Data Breach Summit | Chicago, IL | Aug 18

SANS Alaska | August 22-27

SANS Virginia Beach 2016 | Aug 22-Sept 2

SANS Brussels Autumn 2016 | Sept 5-10

SANS Network Security 2016 | Las Vegas, NV | September 10-19

Security Leadership Summit & Training
Sept 27-Oct 4, 2016 | Dallas, TX

SANS Online Training
Anywhere, Anytime: OnDemandSimulcastvLive

Single Course Training
SANS Mentor and SANS Community


View the full SANS course catalog

 
  Top of the News
HIPAA Guidance on Reporting Ransomware
(July 14, 2016)
 
According to new Health Insurance Portability and Accountability Act (HIPAA) guidance, ransomware attacks must be reported to the Department of Health and Human Services (HHS). The guidance "describes ransomware attack prevention and recovery from a healthcare sector perspective, including ... how HIPAA breach notification processes should be managed in response to a ransomware attack."
 
Editor's Note

[John Pescatore]
The HHS guidance basically says that if an attacker was able to encrypt files containing PHI, then the attacker has both "acquired" the files (which requires notification) or has impacted the information owner's ability to access their own data and the business ability to maintain the integrity of the data, also requiring notification. Note that this last condition means that disclosure would be required even if you had encrypted the files before the ransomware attack encrypted them a second time! The guidance does point out that you can still perform a risk assessment justifying your belief that a disclosure would not be required.

[Stephen Northcutt]

Page 2 of the HHS Fact Sheet has the magic word, "backup". Frequent backups, tested backups, offsite backups. And we move on to face the next threat.

Read more in:
- SC Magazine:
 HHS: Healthcare groups must report all ransomware attacks
- Health Leaders Media: CMS Offers HIPAA Guidance on Ransomware
- HHS (Health and Human Services): FACT SHEET: Ransomware and HIPAA
FDIC Systems Intrusions Not Reported
(July 13 & 14, 2016)
 
According to a report from The US House Committee on Science, Space, and Technology, the Chinese government is suspected of breaking into Federal Deposit Insurance Corp. (FDIC) computers several times between 2010 and 2013. Backdoors were found on 12 workstations and 10 servers. The incidents were never reported to authorities.
 
Editor's Note

[Alan Paller]
The shoemaker's children: federal agencies responsible for overseeing cybersecurity in commercial organization have shown a disturbing pattern, first seen at DHS, of weak internal security controls and skills combined with a failure to disclose important breaches and the lessons learned from those breaches.
Fiat Chrysler Announces Bug Bounty Program
(July 13, 2016)
 
Automobile manufacturer Fiat Chrysler says it will pay up to US $1,500 for reported vulnerabilities in their automobiles' software. Fiat Chrysler is not the first automobile company to pay for information about vulnerabilities; Tesla established a bounty program last year. GM has a vulnerability disclosure program, but offers no payment. 
 
Editor's Note

[John Pescatore]
Increasing numbers of successes show the efficiency and effectiveness of well-managed bug bounty programs, with emphasis on the "well-managed" part. It will be good to see the application security testing services industry respond and up their game against this form of competition.

[Michael Assante]
Vulnerability discovery efforts combined with system-of-system attack surface and path reviews are important tools in the cyber-to-physical design and testing process. The goal is to deliberately consider, reduce, and understand as many exposures as possible prior to release and ongoing version management of software-centric platforms.
Sponsored Links
Why Layered Security Strategies Dont Work and What You Can Do About It.
Tuesday, July 19th, 2016 at 11:00 AM (11:00:00 EDT/US Eastern) with Navneet Singh.http://www.sans.org/info/187285

SANS 2016 Financial Security Survey - Help SANS determine strengths and weaknesses in financial info systems http://www.sans.org/info/187295

Take the SANS 2016 Cloud Security Survey & enter to win a $400 Amazon Gift Card!http://www.sans.org/info/187300
  The Rest of the Week's News
US Appeals Court Sides with Microsoft in Ireland Server Case
(July 14, 2016)
 
The US Court of Appeals for the Second Circuit in New York has reversed a lower court's decision, unanimous in their decision that Microsoft does not have to surrender customer data stored on an overseas server to the Justice Department. According to the decision, The US Stored Communications Act "does not authorize courts to issue warrants for the seizure of customer email content that is stored exclusively on foreign servers." The Justice Department had sought the contents of email messages stored on a server in Ireland as part of a drug trafficking case.
 
Editor's Note

[William Hugh Murray]
While this is an important case, it is a narrow ruling. The ruling is based, not upon Constitutional grounds, but upon the Court's reading of the law. Expect the government both to appeal and to seek changes to the law. Like the Apple "All Writs" action, this is about whether there are to be any limits on the power of the government to compel the cooperation of those who are not parties to, but mere custodians of, data belonging to others.  It has major implications for how we will use the Internet.
Read more in:
- Computerworld:
 Microsoft wins appeal over U.S. government access to emails held overseas
- V3: Microsoft wins court appeal over handing email stored in Ireland to US authorities
- ZDNet: In privacy victory, Microsoft wins appeal over foreign data warrant
- The Hill: Microsoft wins landmark data storage case
- eWeek: Microsoft Wins Appeal in Ireland Email Case
- SC Magazine: Second Circuit rules in favor of Microsoft, gov't can't force access to email on Irish server
Clock-Based Intrusion Detection for Automobile Systems
(July 14, 2016)
 
Researchers from the University of Michigan have developed a proof-of-concept intrusion detection tool for cars' computer systems. The Clock-based Intrusion Detection System (CIDS) creates digital fingerprints for a car's digital components using "clock skew," the fact that computers' internal clocks drift over time because of manufacturing defects and temperature. The digital fingerprints would allow the researchers to determine whether or not messages are legitimate. The researchers plan to present a paper on their findings at Usenix.
 
Editor's Note

[John Pescatore]
Back in the late 1990s, the automotive industry was considering PKI to support encryption of communications in future smart vehicles. Vehicles usually have some form of Vehicle Identification Number that is "hard coded" into the physical frame of the car, and that makes a good starting point for a trustable public key value. Future movement towards vehicle-to-vehicle communications, let alone autonomous vehicles, will require some form of secure communications.

[William Hugh Murray] 
This is the second report in a week of "security research," rather than legitimized hacking. According to Walt Mossberg, in journalism, "two points make a trend." May these two cases be the start of a trend.
Fixes Available for Drupal Remote Code Execution Flaws
(July 14, 2016)
 
Drupal is urging users to patch critical vulnerabilities in the content management system that could be exploited to allow remote code execution. The vulnerability is believed to affect approximately 14,000 websites. The Drupal advisory lists new releases for several affected modules.
 
Editor's Note

[Jake Williams]
These vulnerabilities are easily exploitable and result in unauthenticated remote code execution. The highest scoring vulnerability was rated 22/25 on Drupal's security rating scale. Admins were given a 24-hour notice that critical patches were coming. If this isn't already being exploited in the wild, it's only a short time before it will be.
Locky Ransomware Encrypts Files Even When Computers are Offline
(July 14, 2016)
 
A new variant of the Locky ransomware is capable of operating encrypting files on infected computers even when the malware is unable to communicate with command-and-control servers. Instead of using a unique encryption key, this version of Locky will use a predefined public key, which will be the same for all infected machines that are offline or otherwise prevent Locky from communication with the command-and-control servers.
 
Editor's Note

[William Hugh Murray]
The FBI issued guidance in the context of Locky. Little of the guidance is specific to Locky; most are things that qualify as "essential" practices (Can be done by anyone, using available resources, each only about 80%, but work together to achieve an arbitrary level of security. (Paraphrased from Peter Tippett). Many of these essential measure are dismissed by security professionals because of their (80%) limitations while others are resisted in the name of convenience.  However, if implemented as Dr. Tippett suggests, they will resist, not only ransom ware, but the success and cost of most other attacks.
Juniper Patches for Junos OS
(July 14, 2016)
 
Juniper has released fixes for eight vulnerabilities in its Junos operating system. The Junos OS is used on Juniper networking and security appliances. The flaws could be exploited to gain elevated privileges, cause denial of service conditions and kernel crashes, and impersonate trusted users.
 
Editor's Note

[Jake Williams]
This flaw allows anyone with a self-signed certificate, claiming to be from a trusted certificate authority, to bypass validation. Organizations using Juniper devices at the boundary should consider employing hunt teams to determine whether this vulnerability was exploited previously.

Read more in:
- The Register:
 Juniper's bug hunters fire out eight patches
Four-Year Prison Sentence for Conspiracy to Steal Defense Data
(July 14, 2016)
 
A US federal judge in California has sentenced Su Bin to 46 months in prison for his role in a scheme to steal sensitive information from the networks of US defense contractors. Su was also ordered to pay a US $10,000 fine. Su pleaded guilty to charges of conspiracy in March.
Malware Found on European Energy Company System
(July 12 & 13, 2016)
 
Malware known as SFG has been detected on the network of an unnamed energy company in Europe. SFG gathers information about the infected system and opens a backdoor that could be used to launch a malicious payload. It bears similarities to malware known as Furtim, which was used to create a backdoor on industrial control systems. According to SentinelOne Labs, which discovered the malware, SFG "appears to have been designed by multiple developers with high-level skills and access to considerable resources."
 
Editor's Note

[Michael Assante]
I would caution jumping to far-reaching conclusions because a malware is found at an energy company. The code as analyzed did not have any discernible modules or payloads designed specifically for operational technology or industrial processes.
- SentinelOne: SFG: Furtim's Derivative
Patch Tuesday:  Microsoft and Adobe
(July 13 & 14, 2016)
 
On Tuesday, July 12, Microsoft and Adobe released security updates. Microsoft issued 11 security bulletins that fix more than 40 vulnerabilities in Windows, Microsoft Office, Internet Explorer, and Edge. Adobe's updates fix at least 52 security issues in its Flash Player and at least 30 security issues in Reader.

Read more in:
- KrebsOnSecurity:
 Adobe, Microsoft Patch Critical Security Bugs
- Microsoft Security Bulletins: July 12, 2016 (MS16-084 through MS16-094)

No hay comentarios:

Publicar un comentario en la entrada

Te agradezco tus comentarios. Te esperamos de vuelta.