Annotated News Update from the Leader in Information Security Training, Certification and Research - June 6, 2017, Vol. 19, Num. 45

Top of The News
  • Contractor Arrested in Connection with Leaked NSA Report
  • US Supreme Court Will Hear Mobile Phone Location Data Case
  • Pandemic CIA Cybertool Infects Computers Through File Servers
The Rest of the Week's News
  • Healthcare Cyber Security Task Force Report
  • VA Will Adopt Electronic Health Record System Used by Defense Department
  • EternalBlue Now Being Used to Distribute More Malware
  • Newest Version of Safari Will Block Autoplay by Default
  • GAO Report: FDIC Needs to Improve Security Controls
  • US Department of Health and Human Services OIG Report
  • ICO Data on Reported Breaches
Internet Storm Center Tech Corner
Cybersecurity Training Update

SANS Minneapolis 2017 | June 19-24 

Digital Forensics & Incident Response Summit | Austin, TX | June 22-29

SANS Columbia 2017 | Columbia, MD | June 26-July 1

SANS Cyber Defence Singapore 2017 | July 10-15

SANS ICS & Energy-Houston | July 10-15

SANS Los Angeles-Long Beach 2017 | July 10-15

SANSFIRE 2017 | Washington, DC | July 22-29

SANS San Antonio | August 6-11

SANS Boston 2017 | August 7-12

SANS New York City | August 14-19

SANS London September 2017 | September 25-30  

SANS Online Training
Special Offer! Register by June 7 and receive a GIAC Certification Attempt or $350 off your OnDemand and vLive course.

Single Course Training
SANS Mentor and Community SANS

View the full SANS course catalog


Free technical content sponsored by Splunk
SplunkLearn How to Quickly Analyze Network Events With Splunk. Let us take you step-by-step through a security investigation to understand where and how an attacker entered your network and how to remediate the threat. Start with a demo video then perform the investigations yourself in a live, preconfigured Splunk instance to identify the root cause of the infection.
  Top of the News
Contractor Arrested in Connection with Leaked NSA Report
(June 5, 2017)
An NSA report leaked to a US media outlet indicates that Russian intelligence agents hacked computers belonging to a voting systems manufacturer just weeks before the November 2016 presidential election. The stolen information is believed to have been used in a spear phishing campaign. A government contractor has been arrested in connection with the leak.
Editor's Note

[Stephen Northcutt]
Here is the famous Intercept URL, (Intercept is the organization the alleged leaker sent the data to): Top-Secret NSA Report Details Russian Hacking Effort Days Before 2016 Election
Wired magazine reported, "Intercept reporters then shared the report, in some form, with intelligence officials at the Office of the Director of National Intelligence and the NSA prior to publication to discuss redacting any details that might be damaging to national security." If you absolutely must disclose Top Secret information please try to do so in a responsible manner. Note they welcome leaks and are open to topics other than Russian hacking: The Intercept Welcomes Whistleblowers Leaked Documents Reveal Counterterrorism Tactics Used at Standing Rock to "Defeat Pipeline Insurgencies"
Regarding the Hill article focused on the voting machine manufacturer hack, from time to time experts raise concerns about electronic voting machines: Just how secure are electronic voting machines? Do electronic voting machines put 2016 election at risk?
The timing of the release is interesting, ex-FBI Director James Comey is scheduled to testify on the topic of Russian interference in the 2016 election this coming Thursday: Comey-mania about to take over Washington

Read more in:
- Russians hacked US voting systems maker just before election
- Gov't contractor charged with leaking classified info to media
- Feds Charge NSA Contractor Accused of Exposing Russian Hacking
US Supreme Court Will Hear Mobile Phone Location Data Case
(June 5, 2017)
The US Supreme Court will hear arguments in a case regarding the need for a warrant to use cell-site data to track a suspect's location. The case, Carpenter v. United States, No. 16-402, involves data held by a mobile phone company. The question is whether police are required to obtain a warrant to access mobile phone location histories. Police currently have access to the information without the need for a warrant through the third-party doctrine, which allows police to demand information from companies if the information is considered a normal business record.
Read more in:
- Supreme Court Agrees to Hear Cellphone Tracking Case
- Supreme Court agrees to rule if cops need warrant for cell-site data
- Supreme Court to hear case on tracking phone location data
Pandemic CIA Cybertool Infects Computers Through File Servers
(June 1, 2017)
WikiLeaks has published information about a purported CIA cybertool that can infect computers through file servers. Known as Pandemic, the tool can be used to turn Windows file servers into machines that distribute whatever malware the attacker wants to use. When a computer that the tool wants to infect tries to access a file on the server, the computer is served a malicious version of that file.
Read more in:
- WikiLeaks says CIA's "Pandemic" turns servers into infectious Patient Zero
- CIA Malware Can Switch Clean Files With Malware When You Download Them via SMB
Sponsored Links
Don't Miss: "SecOps principles to close gaps in Vulnerability Management" with John Pescatore.
Webcast: "Evaluation Criteria for ICS Cyber Security Monitoring with Rockwell Automation and Claroty" Register:
Be sure to check out "Fighting Account Takeover - Change The Battle and Win"
  The Rest of the Week's News
Healthcare Cyber Security Task Force Report
(June 5, 2017)
The US Department of Health and Human Services Health Care Industry Cybersecurity Task Force has released its first report to US legislators. The report underscores the point that digital vulnerabilities are threats not only to information but also to patients' safety. It calls for the government and private sector healthcare entities to work together on six imperatives that include defining leadership, governance, and expectations for healthcare cybersecurity; increasing the resilience and security of medical devices and IT; and identifying ways to protect research and development and intellectual property from theft.
Editor's Note

[John Pescatore]
A solid set of recommendations but a lot of focus on new frameworks, regulations, etc. vs. overcoming obstacles that caused decades of talk about and spending on security and privacy around personal health information and medical equipment with very little actual progress. While the Critical Security Controls were not specifically cited, good to see basic security hygiene concepts sprinkled across the higher priority recommendations.

[William Hugh Murray]
Legislation is difficult; HIPAA is the example. Few laws were better intended; few have had such perverse effects. Health data duplication has increased, much of it still on paper. "Portability" is a joke, privacy and security breaches routine, use of IT sparse, expensive, ineffective and despised by the service providers. After twenty years we still wait patiently for any of its promises to be met. IT "modernization" may be necessary but it will be difficult under the law and far from a solution to all the problems.

Read more in:
- Federal task force: Here's how to fix healthcare cybersecurity
- HHS Cyber Task Force wants better partnerships, stronger federal leadership
- Health Care Industry Cybersecurity Task Force (PDF)
VA Will Adopt Electronic Health Record System Used by Defense Department
(June 5, 2017)
The US Department of Veterans Affairs is moving from its legacy electronic health record (EHR) system to a commercial, off-the-shelf product that is also used by Defense Department (DoD). The VA will drop its Veterans Information Systems and Technology Architecture (VistA) and switch to the MHS Genesis HER system. The move means that military personnel's EHRs can move with then from DoD to VA once they retire from the military. The VA's system will have additional capabilities so it can interact smoothly with its healthcare partners around the country.
Editor's Note

[Lee Neely]
The VA plan calls for participation from clinicians, read customization, and the 2018 budget calls for a $218M cut to IT spending, which, in combination can cause a project like this to fail. Management of the scope and adequate budget are crucial for success and should be planned before they start. I worry the VA is not considering the migration effort nor the resources required to run in parallel until the cutover completes.

Read more in:
- Shulkin announces new direction for VA electronic health record
- VA to use same electronic health record system as military
EternalBlue Now Being Used to Distribute More Malware
(June 5, 2017)
The EternalBlue exploit that was used in the WannaCry ransomware attacks is now being used to distribute the Nitol backdoor and Gh0stRAT malware. The exploit takes advantage of a flaw in the Windows Server Message Block (SMB) networking protocol.
Read more in:
- Leaked NSA hacking exploit used in WannaCry ransomware is now powering Trojan malware
- EternalBlue, used in WannaCry, now with Nitol backdoor and Gh0st RAT
- EternalBlue Exploit Spreading Gh0st Rat, Nitol
- Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads
Newest Version of Safari Will Block Autoplay by Default
(June 5, 2017)
At its Developers Conference this week, Apple said that the newest version of its safari browser will automatically block autoplay. Another new feature, intelligent tracking prevention, will block websites from tracking users' browser data, which means users will no longer see searches conducted on one site appear as advertisements on another.
Read more in:
- Safari will automatically block those annoying autoplay videos
- WWDC 2017: Everything important Apple announced at its big event
GAO Report: FDIC Needs to Improve Security Controls
(June 2, 2017)
According to a report from the US Government Accountability Office (GAO), the Federal Deposit Insurance Corporation (FDIC) needs to do more to improve its information security controls. The report also notes that while the FDIC has implemented "numerous information security controls intended to protect its key financial systems," there are still concerns regarding access controls and the isolation of its financial systems from the rest of its network.
Read more in:
- FDIC dinged again for inadequate infosec
- FDIC Needs to Improve Controls over Financial Systems and Information (PDF)
US Department of Health and Human Services OIG Report
(June 2, 2017)
The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) has submitted its semi-annual report to Congress. Among OIG's findings: HHS "faces challenges to protect the privacy and security of the data it collects and maintains."
Read more in:
- Health Data Security Tops HHS' List of Challenges
- Semiannual Report to Congress: October 1, 2016 to March 31, 2017 (PDF)
ICO Data on Reported Breaches
(June 1, 2017)
According to data obtained from the UK's Information Commissioner's Office (ICO), 43 percent of breaches reported between January 2014 and December 2016 affected the healthcare sector. While healthcare had the highest percentage of reported breaches, other sectors are seeing greater increases in the number of breaches reported. Across all sectors, more breaches were caused by human error than by external cyber threats.
Read more in:
- Healthcare tops UK data breach chart - but it's not what you're thinking
  Internet Storm Center Tech Corner
Phishing Campaigns for Bitcoin

Mouseover May Trigger Powerpoint Macro

Vault 7 "Pandemic" Tool (PDF)
Mozilla Considering Move Away From OCSP

Finding XOR Keys Used To Encode Malware

Citywide IMSI Discovery

Hijacking Country Level Domains


The Editorial Board of SANS NewsBites
Alan Paller
Brian Honan
David Hoelzer
David Turley
Dr. Eric Cole
Ed Skoudis
Eric Cornelius
Gal Shpantzer
Jake Williams
Dr. Johannes Ullrich
John Pescatore
Mark Weatherford
Mason Brown
Michael Assante
Rob Lee
Sean McBride
Shawn Henry
Stephen Northcutt
Suzanne Vautrinot
Tom Liston
William Hugh Murray
Lee Neely

SANS Institute

8120 Woodmont Avenue, Suite 310, Bethesda, MD, 20814

Privacy Policy.