Final Week to get an iPad Pro or Surface Pro with Online Training!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #55

July 14, 2017

How To Find Out Whether A Student Is Likely To Be Good At Cybersecurity

[National Governors' Conference, Providence, July 14, 2017]

Seven Governors announced a pilot program offering an onramp for students interested in demonstrating their talent and developing cyber skills. Virginia, Michigan, Iowa, Delaware, Rhode Island, Nevada and Hawaii governors announced that students (over 16) in their states now have immediate access to the new CyberStart national cyber opportunity program that lets them find out how much natural talent they have and win scholarships for advanced training. Tryouts end in 14 days.

National Governor's Association Chairman's Press Release

http://governor.virginia.gov/newsroom/newsarticle?articleId=20751

Overall Program Page: https://www.sans.org/CyberStartUS

TOP OF THE NEWS


White House Removes Kaspersky from Approved Vendor List
China and Russia Ban VPNs
Dutch Intelligence to Get Broadened Surveillance Authority

THE REST OF THE WEEK'S NEWS


Bupa Health Insurance Employee Allegedly Stole Customer Data
SAP Releases Monthly Security Updates
Windows 10 to Add "Process Hollowing" and "Atom Bombing" Protection
Guilty Pleas in Skimmer Case
GSA Seeks Information on Tools for Automating Authority-to-Operate Process
Pacemaker Data is Admissible Evidence
Microsoft and Adobe Patch Tuesday
Verizon Customer Data Exposed
Critical Flaws in Windows NT LAN Manager

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Remediant **********************

Password Vaulting make Privileged Access Management painful. There is a better way, with 2FA, continuous monitoring, SIEM integration and true access management. Come meet Remediant at Black Hat booth #IC17. info@remediant.com - http://www.sans.org/info/196535

***************************************************************************

TRAINING UPDATE

-- SANS OnDemand and vLive Training | Special MacBook Air Offer! Get a MacBook Air, HP ProBook 450 G4 or take $450 off your course until July 26. 30+ courses with books, labs, mp3, & SME support. https://www.sans.org/online-security-training/specials/

-- SANSFIRE 2017 | Washington, DC | July 22-29 |
https://www.sans.org/event/sansfire-2017

-- SANS Network Security | Las Vegas, NV | September 10-17 |
https://www.sans.org/event/network-security-2017

-- SANS Security Awareness Summit | Nashville, TN | July 31-August 9 |
https://www.sans.org/event/security-awareness-summit-2017

-- SANS Boston 2017 | August 7-12 |
https://www.sans.org/event/boston-2017

-- SANS London September 2017 | September 25-30 |
https://www.sans.org/event/london-september-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 |
https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 |
https://www.sans.org/event/october-singapore-2017

-- SANS Brussels Autumn 2017 | October 16-21 |
https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 |
https://www.sans.org/event/tokyo-autumn-2017

-- Can't travel? SANS offers online instruction for maximum flexibility Live Daytime training with Simulcast - https://www.sans.org/simulcast
Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/
SANS Online Training: Special Offer! Get the brand new 12.9" iPad Pro, or a Microsoft Surface Pro 4, or take $550 off OnDemand or vLive Training when you register by July 12! - https://www.sans.org/online-security-training/specials/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

White House Removes Kaspersky from Approved Vendor List (July 11 & 12, 2017)

The White House has taken Kaspersky Lab off the list of approved vendors for government agencies. The action was taken over concerns that Kaspersky could have ties to the Russian government. Kaspersky maintains that no such ties exist.

[Editor Comments]

[Pescatore] This is a political decision that can be matched by other countries making similar political decisions about US cybersecurity companies. I can't think of a single political decision over my entire career that was a net positive to cybersecurity overall.

[Williams] The IC issues with Kaspersky stem from the immense power that antivirus software has on a machine and the serious risks faced if antivirus is backdoored or otherwise compromised. For more on building an accurate threat model around antivirus software, see (https://www.renditioninfosec.com/2017/07/av_threat_model_kaspersky/). Neither side (USG or Kaspersky) has been completely transparent in their accounts of the issues (For more detail, see: https://www.itwire.com/technology-regulation/79009-kaspersky-response-to-spy-claims-misleading-infosec-expert.html).

Read more in:

The Register: Uncle Sam says 'nyet' to Kaspersky amid fresh claims of Russian ties http://www.theregister.co.uk/2017/07/11/uncle_sam_says_nyet_to_kaspersky/
Reuters: Trump administration limits government use of Kaspersky Lab software http://www.reuters.com/article/us-usa-kasperskylab-idUSKBN19W2W2
FCW: Kaspersky axed from governmentwide contracts https://fcw.com/articles/2017/07/12/kaspersky-gsa-nasa-intel.aspx
V3: Kaspersky: 'We're a pawn in a geopolitical game,' argues Russian security software maker https://www.v3.co.uk/v3-uk/news/3013715/kaspersky-were-a-pawn-in-a-geopolitical-game-argues-russian-security-software-maker

China and Russia Ban VPNs (July 11, 2017)

Legislators in Russia and China are banning the use of virtual private networks (VPNs) in their countries. Russia's State Duma also adopted the first reading of legislation that would ban the use of anonymizing networks like Tor if they do not block access to a list of websites determined by the government.

[Editor Comments]

[Pescatore] See previous comment about political decisions, as same applies to totalitarian government edicts. In the past, similar edicts by China have been revoked (or at least not enforced) as political desire for international trade trumped desire for control over citizens and businesses. However, in times where global cooperation is fractured, enterprise security programs should be prepared to be able to do persistent content encryption when transport encryption is banned into countries like China and Russia.

[Murray] As noted earlier by former GCHQ director Robert Hannigan, "it's not a good idea to weaken security for everybody in order to tackle a minority." Totalitarian states that believe otherwise will learn this the hard way. Any such restrictions will weaken their infrastructure and greatly reduce the cost of attack for their intelligence adversaries.

[Neely] This is a throwback to when they disallowed encryption they couldn't break and feels more like political posturing than an achievable goal. The people they are most interested in will find work-arounds. A more significant pushback will happen when companies will look to take their business elsewhere, as both countries know the value of international business relationships.

Read more in:

The Register: Russia, China vow to kill off VPNs, Tor browser http://www.theregister.co.uk/2017/07/11/russia_china_vpns_tor_browser/

Dutch Intelligence to Get Broadened Surveillance Authority (July 11 & 13, 2017)

Dutch legislators have approved a bill that would expand the country's intelligence agencies' surveillance authority. The revised Intelligence and Security Act allows intelligence agencies to conduct surveillance on relatives of suspected terrorists and other serious criminals. It also allows Dutch intelligence agencies to share information with intelligence agencies in other countries. The law has been approved by the Dutch Senate and will take effect a month after it is signed by the country's monarch.

Read more in:

The Register: Dutch Senate votes to grant intel agencies new surveillance powers http://www.theregister.co.uk/2017/07/13/dutch_surveillance_law_revamp/
Reuters: Dutch pass 'tapping' law, intelligence agencies may gather data en masse https://www.reuters.com/article/us-netherlands-intelligence-idUSKBN19W2SU
*************************** SPONSORED LINKS *****************************
1) Find out how you compare to your peers when it comes to incident response, visit IDC's Security Response Readiness Assessment. http://www.sans.org/info/196540
2) Join Thomas Skybakmoen, Distinguished Research Director for NSS Labs, as he shares the latest results on the top NGFW performers. http://www.sans.org/info/196545
3) See how your efforts to keep the cloud secure for business compare. | Take the SANS Cloud Security Survey | Remain anonymous or enter your name to win a $400 gift certificate. http://www.sans.org/info/196550
***************************************************************************

THE REST OF THE WEEK'S NEWS

Bupa Health Insurance Employee Allegedly Stole Customer Data (July 13, 2017)

An employee of the Bupa health insurance company allegedly stole customer data. Bupa became aware of the breach in June and is now notifying its customers. The breach affects customers with international private insurance, whose policy numbers beginning with "BI."

Read more in:

The Register: Bupa: Rogue staffer stole health insurance holders' personal deets http://www.theregister.co.uk/2017/07/13/bupa_data_breach/
BBC: Bupa data breach affects 500,000 insurance customers http://www.bbc.com/news/technology-40595581
Bupa: Important update - information about IPMI data loss https://www.bupa.com/corporate/about-us/customer-update

SAP Releases Monthly Security Updates (July 13, 2017)

SAP has released 12 security notes to fix 23 flaws in a number of its products. Several of the vulnerabilities in SAP Point of Sale Retail Xpress Server could be exploited to allow "information disclosure, privilege escalation, and other attacks."

Read more in:

Threatpost: SAP Patches High-Risk Flaws in SAP POS, Host Agent https://threatpost.com/sap-patches-high-risk-flaws-in-sap-pos-host-agent/126786/
SC Magazine: SAP addresses high-priority POS server flaw on Patch Tuesday https://www.scmagazine.com/sap-addresses-high-priority-pos-server-flaw-on-patch-tuesday/article/674429/
SAP: SAP Security Patch Day - July 2017 https://blogs.sap.com/2017/07/11/sap-security-patch-day-july-2017/

Windows 10 to Add "Process Hollowing" and "Atom Bombing" Protection (July 13, 2017)

When Microsoft releases its Windows 10 Fall Creators Update later this year, it will include added protections against "process hollowing" and "atom bombing." The additions will be part of the Windows Defender Advanced Threat Protection; they will be available only to those users who buy the commercial version of Windows Defender.

[Editor Comments]

[Williams,Neely] Only Microsoft Advanced Threat Protection (ATP) customers will get these updates. Process hollowing has been around a long time and most antivirus suites already detect it with relative ease.

[Northcutt] Possibly worth considering purchasing the pricey commercial Windows defender. My understanding it that it is a detect respond capability as opposed to protect. The process hollowing attack has been around for a very long time; start a legitimate program, then use its memory space, PID etc to insert and execute malicious code. Atom bomb is newer, evades anti-virus, next generation anti-virus, requires system behavior monitoring to stop; used in Dridex.

https://www.microsoft.com/en-us/windowsforbusiness/windows-atp
https://practical365.com/exchange-server/advanced-threat-protection-notes-field/
http://blog.ensilo.com/atombombing-a-code-injection-that-bypasses-current-security-solutions
https://www.bleepingcomputer.com/news/security/dridex-becomes-first-malware-family-to-integrate-atombombing-technique/
Read more in:

BleepingComputer: Microsoft Adds Protection Against Process Hollowing and Atom Bombing https://www.bleepingcomputer.com/news/security/microsoft-adds-protection-against-process-hollowing-and-atom-bombing/

Guilty Pleas in Skimmer Case (July 11 & 13, 2017)

Four people have pleaded guilty in US federal court to charges of conspiracy to commit bank fraud for their roles in an ATM skimming scheme. The four people were part of a larger group that stole more than 425,000 USD using skimmers and pinhole cameras on ATMs at PNC and Bank of America.

[Editor Comments]

[Murray] Bank of America is equipping their ATMs for contactless exchange of digital tokens in place of card account numbers. While many ATMs have been converted, many still have not. Apparently, they are withholding announcement until most or all have been converted. (I have used it and it is very convenient. Increased fraud resistance is a bonus.)

Read more in:

ZDNet: ATM skimmers who stole $420,000 plead guilty in US court http://www.zdnet.com/article/atm-skimmer-suspects-plead-guilty-in-us-court/
DoJ: Four More Members of ATM Skimming Conspiracy Targeting Multiple New Jersey Bank Locations Plead Guilty https://www.justice.gov/opa/pr/four-more-members-atm-skimming-conspiracy-targeting-multiple-new-jersey-bank-locations-plead

GSA Seeks Information on Tools for Automating Authority-to-Operate Process (July 13, 2017)

The US General Services Administration (GSA) is asking industry for information about tools and methods that can help the Federal Risk and Authorization Management Program's authority-to-operate (ATO) process. GSA hopes to automate at least part of the ATO process to decrease manual errors.

[Editor's Note]

[Neely] This will make it easier for cloud service providers to obtain ATO status for new offerings. The current lengthy FedRAMP process results in a lack of feature parity which results in use of less secure public cloud offerings. Better yet, automation should lead to continuous monitoring which is reflected into a usable interface to aid security staff as well as authorizing officials.
Read more in:

Executive Biz: GSA Seeks Info on Commercial Automation Tools for FedRAMP ATO Process http://blog.executivebiz.com/2017/07/gsa-seeks-info-on-commercial-automation-tools-for-fedramp-ato-process/
FBO: FedRAMP ATO Automation Tools https://www.fbo.gov/index?s=opportunity&mode=form&id=599d6925771d729873957de851d192e7&tab=core&_cview=0

Pacemaker Data is Admissible Evidence (July 12 & 13, 2017)

A judge in Ohio has ruled that data obtained from a suspect's pacemaker in an arson case is admissible as evidence in court. The suspect was charged with aggravated arson and insurance fraud. Information obtained from his pacemaker showed cardiac rhythms and heart rates inconsistent with the story he told in court. The defense attorney was disappointed with the judge's ruling, saying that it "further expands the government's ability to access some of our most fundamental private information."

[Editor Comments]

[Pescatore] We will see years of lower courts, appellate courts and the Supreme Court dealing with the privacy and surveillance aspects of the "Internet of Things." Medical implants get a lot of press attention but cars and smart homes will be the two major impact areas. The key takeaway here for enterprise security programs: if data in devices in your employees (or customers) cars and homes is of interest to and obtainable by law enforcement, the same is true for it being of interest and obtainable by law breakers.

Read more in:

BBC: Judge rules pacemaker data admissible in court http://www.bbc.com/news/technology-40592520
CNET: Judge rules pacemaker data can be used against defendant https://www.cnet.com/news/judge-rules-pacemaker-data-can-be-used-against-defendant/

Microsoft and Adobe Patch Tuesday (July 11 & 13, 2017)

On Tuesday, July 11, Microsoft and Adobe released their monthly security updates. Microsoft's fixes address at least 54 vulnerabilities in Windows, Edge, Internet Explorer, Office, and Exchange; 19 of the flaws are rated critical. Adobe's fixes address three flaws in Flash and three flaws in Adobe Connect for Windows.

Read more in:

KrebsOnSecurity: Adobe, Microsoft Push Critical Security Fixes https://krebsonsecurity.com/2017/07/adobe-microsoft-push-critical-security-fixes-11/
Threatpost: Microsoft Patch Tuesday Update Fixes 19 Critical Vulnerabilities https://threatpost.com/microsoft-patch-tuesday-update-fixes-19-critical-vulnerabilities/126758/
Threatpost: Adobe Fixes Six Vulnerabilities in Flash, Connect With July Update https://threatpost.com/adobe-fixes-six-vulnerabilities-in-flash-connect-with-july-update/126747/
Microsoft: Security Update Summary https://portal.msrc.microsoft.com/en-us/security-guidance/summary
Adobe: Security updates available for Flash Player | APSB17-21 https://helpx.adobe.com/security/products/flash-player/apsb17-21.html
Adobe: Security updates available for Adobe Connect | APSB17-22 https://helpx.adobe.com/security/products/connect/apsb17-22.html

Verizon Customer Data Exposed (July 12, 2017)

Fourteen million Verizon customer records were exposed when a third-party vendor stored the information on a misconfigured Amazon S3 server. The data include names, addresses, account PINs, and other account details.

[Editor Comments]

[Pescatore] Cloud storage is to 2017 as "Windows for Workgroups" and the SMB protocol were to 1995 and Windows 95. It is not that it can't be done securely, it is that it is very easy for sloppy admins to leave things wide open and just as easy for users and "rogue" IT to be their own sloppy admins. The best approach is for security and IT to work together to offer users secure ways for lightweight collaboration (which is the biggest reason why clouds storage services are used in rogue IT.) Even with that, extending visibility and configuration standards for the popular cloud storage services is a key part of basic security hygiene these days.

[Murray] Ironically, this breach is consistent with those routinely reported in the Verizon Data Breach Incident Report, i.e., orphan data, mis-configured server, third party.

[Neely] It is important to understand the architecture of the cloud service used. S3 does not traverse the VPC to your other AWS services, so administrative controls are necessary to ensure the data is protected, including use of service-side encryption to protect information at rest, only upload data to S3 over an httpS endpoint, or encrypt data before uploading to S3 if an httpS endpoint is not available.

Read more in:

The Register: 14 MEEELLION Verizon subscribers' details leak from crappily configured AWS S3 data store
http://www.theregister.co.uk/2017/07/12/14m_verizon_customers_details_out/
SC Magazine: 14M Verizon customer records exposed on Amazon server https://www.scmagazine.com/misconfigured-server-leaves-14-million-verizon-customer-records-exposed/article/674590/
ZDNet: Security experts warn of account risks after Verizon customer data leak http://www.zdnet.com/article/security-experts-warn-of-account-risks-after-verizon-customer-data-leak/
CNET: Verizon customer data exposed in security lapse https://www.cnet.com/news/israeli-tech-firm-exposes-verizon-customer-records/
Dark Reading: Verizon Suffers Cloud Data Leak Exposing Data on Millions of Customers http://www.darkreading.com/cloud/verizon-suffers-cloud-data-leak-exposing-data-on-millions-of-customers/d/d-id/1329344?
CyberScoop: Report: personal data of more than 14M Verizon customers is exposed in server breach https://www.cyberscoop.com/report-personal-data-14m-verizon-customers-exposed-server-breach/?category_news=technology

Critical Flaws in Windows NT LAN Manager (July 11 & 12, 2017)

A pair of flaws in Microsoft's Windows NT LAN Manager (NTLM) could be exploited to create new administrator accounts and to compromise domains. The issues exist due to protocols' improper handling of NTLM. One of the vulnerabilities was fixed in Microsoft's Patch Tuesday release for July.

[Editor Comments]

[Williams] This is the worst press on Windows vulnerabilities in recent memory. The simple fact is that most organizations don't enforce SMB signing (usually due to 3rd party devices that don't support it). Without SMB signing enforced, you're already vulnerable to authentication relay attacks. These vulnerabilities allow attackers to bypass a security control. Simply put, the sky is not falling. That said, examine whether your organization has enabled SMB signing and if not, what steps you can take to do so - it makes a huge difference in your security posture.

Read more in:

SC Magazine UK: 17-year-old auth protocol riddled with vulnerabilities, needs patching https://www.scmagazineuk.com/17-year-old-auth-protocol-riddled-with-vulnerabilities-needs-patching/article/674427/
ZDNet: Vulnerabilities discovered in Windows security protocols http://www.zdnet.com/article/vulnerabilities-discovered-in-windows-security-protocols/
Dark Reading: Microsoft Patches Critical Zero-Day Flaw in Windows Security Protocol http://www.darkreading.com/vulnerabilities---threats/microsoft-patches-critical-zero-day-flaw-in-windows-security-protocol/d/d-id/1329332?
CyberScoop: Microsoft patches domain-controller vulnerability impacting all Windows versions https://www.cyberscoop.com/microsoft-patches-domain-controller-vulnerability-impacting-windows-versions/
Threatpost: Microsoft Addresses NTLM Bugs That Facilitate Credential Relay Attacks https://threatpost.com/microsoft-addresses-ntlm-bugs-that-facilitate-credential-relay-attacks/126752/

INTERNET STORM CENTER TECH CORNER

Microsoft Patch Tuesday

https://isc.sans.edu/diary//22602

AT&T Cell Phone Takeover

https://carpeaqua.com/2017/07/07/hack-the-planet/

Systemd Invalid Username Bug To Be Fixed

https://github.com/systemd/systemd/pull/6300

Simple File Integrity Monitoring With Backup Scripts

https://isc.sans.edu/forums/diary/Backup+Scripts+the+FIM+of+the+Poor/22606/

Ethereum Wallet Services Targeted By Scammers

http://www.ibtimes.co.uk/ethereum-under-siege-scammers-make-700000-6-days-slack-reddit-phishing-attacks-1629866

MongoDB Security Surprises For Shared Hosting

https://medium.com/@alexbyk/mongodb-at-shared-hosting-security-surprises-c441ecb84b54

Trend Micro Vulnerabilities

https://www.coresecurity.com/advisories/trend-micro-deep-discovery-director-multiple-vulnerabilities

Malware Loads ffmpeg For Video Recording Features

https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/

Password Managers and Cloud Storage

https://discussions.agilebits.com/discussion/76956/can-i-still-buy-standalone-license-for-the-1password-no-longer-being-marketed/p8

SAP Point of Sales Express Patch

https://erpscan.com/press-center/blog/sap-cyber-threat-intelligence-report-july-2017/

Roderick Currie: Car Hacking Developments

https://www.sans.org/reading-room/whitepapers/internet/developments-car-hacking-36607

***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create