Final Week to get an iPad Pro or Surface Pro with Online Training!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #66

August 22, 2017

TOP OF THE NEWS

US Cyber Command to be Elevated to Unified Military Command
US National Guard Cyber Task Force Echo
Google Adds Chrome Extension Warnings
Drupal Security Update

THE REST OF THE WEEK'S NEWS

Hackers Steal 500,000 USD from Enigma Project Investors
Sinopec Shengli Oilfield Computers Infected with Ransomware
Google Researchers Demonstrate Weakness in Visible Digital Watermarking
US State Department eMail Outage Resolved
Advisory Committee Discusses Updating NIST Smart Grid Framework
Extradition for Yahoo! Breach Suspect
Carbon Black Alerts Some Customers to Security Bug in Cb Response
Los Angeles Cyber Lab Will Share Cyber Security Info with Area Businesses

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Sophos Inc. **********************

NEW Whitepaper: Recent ransomware attacks have spread through corporate networks, extorting money to restore your data and regain control of your computers. Modern firewalls are purpose-built to defend against these attacks, but need to be given an opportunity to do their job. Learn how to configure your firewall and network to give optimum protection against ransomware. Learn More: http://www.sans.org/info/197630

***************************************************************************

TRAINING UPDATE

-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS OnDemand and vLive Training | Get an iPad Pro (10.5") with Smart Keyboard, an HP Chromebook 13 G1 or take $350 Off OnDemand or vLive Training when you register by August 30! https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

US Cyber Command to be Elevated to Unified Military Command (August 18, 19, & 212017)

The US Cyber Command (CYBERCOM) will be elevated to a unified military command. The move aims to strengthen the US's position cyberspace operations. CYBERCOM was created in 2009 and was placed within the NSA. The change in CYBERCOM's status will not move forward until a leader for the unit is nominated and confirmed.

Read more in:

Washington Post: President Trump announces move to elevate Cyber Command https://www.washingtonpost.com/news/checkpoint/wp/2017/08/18/president-trump-announces-move-to-elevate-cyber-command/
Nextgov: What the Announced NSA/Cyber Command Split Means http://www.nextgov.com/cybersecurity/2017/08/what-announced-nsacyber-command-split-means/140371/?oref=ng-channelriver
Fifth Domain: Trump elevates Cyber Command; split with NSA still an option https://www.fifthdomain.com/dod/cybercom/2017/08/18/trump-elevates-cyber-command-split-with-nsa-still-an-option/
SC Magazine: Cyber Command elevated to Unified Combatant Command https://www.scmagazine.com/cyber-command-elevated-to-unified-combatant-command/article/682924/
Wired: The US Gives Cyber Command the Status It Deserves https://www.wired.com/story/cyber-command-elevated/
US DoD: DoD Announces Elevation of U.S. Cyber Command to a Unified Combatant Command https://www.defense.gov/News/News-Releases/News-Release-View/Article/1282920/dod-announces-elevation-of-us-cyber-command-to-a-unified-combatant-command/source/GovDelivery/

US National Guard Cyber Task Force Echo (August 18 & 21,2017)

The US Army has mobilized a full-time cyber task force comprising 138 National Guard members from seven states. Task Force Echo will be under the command of Army Cyber Command.

Read more in:

Fifth Domain: Army mobilizes largest ever National Guard cyber task force https://www.fifthdomain.com/dod/army/2017/08/21/army-mobilizes-largest-ever-national-guard-cyber-task-force/
Army: Newly activated Guard unit to bolster Army Cyber forces https://www.army.mil/article/192601/newly_activated_guard_unit_to_bolster_army_cyber_forces

Google Adds Chrome Extension Warnings (August 20,2017)

Google has added two new features to its Chrome browser that will alert users when extensions exhibit suspicious behavior. One of the warnings will appear when an extension takes control of user proxy settings; the other will appear when an extension changes a user's home tab.

[Editor Comments]

[Pescatore] I like Google's wording in the draft warning: "If you aren't sure why this change happened, you probably don't want it." I'd like to see Windows and Linux warn sys admins "Even if you are making this change on purpose, you will probably regret it."

[Neely] It's time to start treating browser extensions like software implementing appropriate review and whitelist activities. Effective warnings will help users make good decisions.

[Northcutt] Kudos for the restore settings button and explanatory text: if you don't know why this change happened you probably don't want it. The problem with plugins or extensions is they require every browser user to be a bit of a shade tree mechanic and since Chrome is the most popular browser, that is the battleground:
https://en.wikipedia.org/wiki/Usage_share_of_web_browsers
Read more in:

Bleeping Computer: Chrome Adds Warning for When Extensions Take Over Your Internet Connection https://www.bleepingcomputer.com/news/security/chrome-adds-warning-for-when-extensions-take-over-your-internet-connection/

Drupal Security Update (August 18,2017)

Drupal has released an update for its content management system (CMS) to address several critical security issues. Drupal 8.3.7 includes fixes for three vulnerabilities. Drupal has also issued a security advisory for Drupal 7.x.

[Editor Comments]

[Neely] Because a CMS runs with the permissions to update and configure the web site, it contains the keys to its own destruction. When using one, you also need a corresponding proactive update, monitoring and minimal extension posture to reduce the risks of exploit.

Read more in:

ZDNet: Drupal patches critical access bypass flaw in engine corehttp://www.zdnet.com/article/drupal-patches-access-bypass-flaw-in-engine-core/
Drupal 8.3.7: Drupal Core - Multiple Vulnerabilities - SA-CORE-2017-004 https://www.drupal.org/SA-CORE-2017-004
Drupal 7.x: Views - Critical - Access Bypass - DRUPAL-SA-CONTRIB-2017-068 https://www.drupal.org/node/2902604
*************************** SPONSORED LINKS *******************************
1) Find out how you compare to your peers when it comes to incident response, visit IDC's Security Response Readiness Assessment. http://www.sans.org/info/197635
2) Join John Pescatore & E8 Security to learn how studying the behavior of people and machines shows what's normal and what may pose a risk to your organization. http://www.sans.org/info/197640
3) Learn the three strategies Avidia Bank implemented to shut out today's sophisticated threats and how you can apply them to protect your own organization. http://www.sans.org/info/197645
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Hackers Steal 500,000 USD from Enigma Project Investors (August 21,2017)

Hackers took control of the Enigma Project's website, Slack channel, and mailing list and stole nearly 500,00 USD from investors in Enigma's Catalyst cryptocurrency trading platform. Enigma had been holding a pre-sale of tokens for pre-qualified investors ahead of the planned September 1, 2017 Initial Coin Offering, which is basically a digital IPO in which investors receive tokens rather than stock. The hackers sent out messages saying that the pre-sale was now open to everyone. The hackers tricked people into sending finds to an Ethereum cryptocurrency wallet that belongs to them rather than to Enigma.

[Editor Comments]

[Pescatore] ICOs are kinda like the lemonade stands kids put up: cheap, easy to buy, but you never actually know what the ingredients are and how many dirty fingers were involved. Yet another good basic security hygiene quote from this one, where customers wondered: "... how a specialized cryptography company could only now be realizing the need for stringent account hygiene."

Read more in:

Wired: A Very Dumb Mistake Costs Cryptocurrency Investors Big Time https://www.wired.com/story/enigma-ico-ethereum-heist/
SC Magazine: Hackers steal nearly $500K from Enigma virtual currency platform's ICO investors https://www.scmagazine.com/hackers-steal-nearly-500k-from-enigma-virtual-currency-platforms-ico-investors/article/683070/
Bleeping Computer: Hacker Steals $475,000 Worth of Ethereum After Breaching Enigma Project https://www.bleepingcomputer.com/news/security/hacker-steals-475-000-worth-of-ethereum-after-breaching-enigma-project/
The Register: Hackers scam half a million from Enigma digital currency investors http://www.theregister.co.uk/2017/08/21/enigma_digital_currency_investors_scammed/

Sinopec Shengli Oilfield Computers Infected with Ransomware (August 21,2017)

China's Sinopec Shengli Oilfield is severing the Internet connections of some of its offices in the wake of a ransomware attack that infected at least 21 company terminals. All computers that do not have anti-virus protection installed will be cut off from the Internet.

Read more in:

Reuters: Sinopec's Shengli Oilfield cuts Internet for some offices after cyber attack http://www.reuters.com/article/us-china-cyberattack-idUSKCN1B11AM

Google Researchers Demonstrate Weakness in Visible Digital Watermarking (August 18,2017)

Google researchers have developed an algorithm that allows them to remove visible digital watermarks from stock photos. The algorithm is able to do what it does because watermarks are added to photos on the Internet in a "consistent manner," allowing a watermark to be eliminated more easily. The researchers recommend redesigning visible digital watermarks to be more "robust against removal from a single image... and more resistant to mass-scale removal from image collections as well."

[Editor Comments]

[Pescatore] In reality, there are cryptographically-based digital signatures that can provide tamper-proof integrity and then there is everything else. Some of the "everything else" does get legal backing, but you usually get what you pay for.

[Northcutt] This is not a new problem, papers on the subject go back 20 years, but only present research grade solutions. For a really quick and solid understanding of the problem, go to the Google blog on the subject and scroll down to the soccer players example:
https://www.google.com/search?safe=off&q=tamper+proof+watermarks+software&spell=1
https://research.googleblog.com/2017/08/making-visible-watermarks-more-effective.html
My wife, a digital photographer, suggests steganography using a tool like SilentEye for proof of ownership, and that certainly raises the ante:
http://silenteye.v1kings.io/

Read more in:

The Verge: Google shows how easy it is for software to remove watermarks from photos https://www.theverge.com/2017/8/18/16162108/google-research-algorithm-watermark-removal-photo-protection
Bleeping Computer: Google Algorithm Removes Watermarks From Stock Photos https://www.bleepingcomputer.com/news/technology/google-algorithm-removes-watermarks-from-stock-photos/
Open Access: On the Effectiveness of Visible Watermarks (PDF) http://openaccess.thecvf.com/content_cvpr_2017/papers/Dekel_On_the_Effectiveness_CVPR_2017_paper.pdf

US State Department eMail Outage Resolved (August 18,2017)

The US State Department experienced a 12-hour email system outage on Friday, August 18. The outage affected the department's unclassified email system. The service has been restored.

[Editor Comments]

[Paller] This shouldn't be a security story because the State Department said this email outage was not caused by "any external action or interference." However, the last time the department was forced to shut down its unclassified email systems in 2014, it said it was for "routine maintenance" and later admitted the email outage was caused by hacking, and that the maintenance explanation was "a cover story."

Read more in:

FNR: State Department email restored after worldwide outage https://federalnewsradio.com/cybersecurity/2017/08/officials-state-dept-suffers-worldwide-email-outage/
The Hill: State Department experiences email outage http://thehill.com/policy/cybersecurity/347093-state-department-experiences-email-outage
Washington Post: State Department email restored after worldwide outage https://www.washingtonpost.com/world/national-security/officials-state-dept-suffers-worldwide-email-outage/2017/08/18/0a024ac2-8429-11e7-9e7a-20fa8d7a0db6_story.html

Advisory Committee Discusses Updating NIST Smart Grid Framework (August 18,2017)

The US National Institute of Standards and Technology held an advisory committee meeting last week to discuss updating its Framework and Roadmap for Smart Grid Interoperability Standards. The document was last updated in September 2014.

Read more in:

GCN: NIST tackles smart grid framework update https://gcn.com/articles/2017/08/18/nist-smart-grid-framework.aspx?admgarea=TC_SecCybersSec
NIST: NIST Framework and Roadmap for Smart Grid Interoperability Standards, Release 3.0 (PDF) https://www.nist.gov/sites/default/files/documents/smartgrid/NIST-SP-1108r3.pdf

Extradition for Yahoo! Breach Suspect (August 18,2017)

A Canadian man who allegedly broke into Yahoo! accounts while working for Russia's FSB will be extradited to the US to face numerous charges, including computer hacking, and wire fraud. Karim Baratov waived his right to an extradition hearing. Baratov was arrested in Hamilton, Ontario, in March 2017. The attacks resulted in the compromise of as many as 500 million Yahoo! accounts.

Read more in:

Cyberscoop: Canadian allegedly paid by FSB officers to breach Yahoo will be extradited to U.S. https://www.cyberscoop.com/canadian-allegedly-paid-fsb-officers-breach-yahoo-will-extradited-u-s/?category_news=technology
Fifth Domain: Alleged Yahoo hacker in Canada agrees to extradition to US https://www.fifthdomain.com/civilian/fbi-doj/2017/08/18/alleged-yahoo-hacker-in-canada-agrees-to-extradition-to-us/
DoJ: U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts https://www.justice.gov/opa/pr/us-charges-russian-fsb-officers-and-their-criminal-conspirators-hacking-yahoo-and-millions
DoJ: February 28, 2017 Indictment (PDF) https://www.justice.gov/opa/press-release/file/948201/download

Carbon Black Alerts Some Customers to Security Bug in Cb Response (August 18,2017)

Carbon Black is warning customers that a security bug in its Cb Response product could result in users sharing sensitive information. The flaw lies in a very specific user configuration of Cb Response that could cause some files to be miscategorized as executables and sent to VirusTotal. The issue is separate from the one that DirectDefense raised last week.

[Editor Comments]

[Neely] Carbon Black warns customers about enabling the upload to VirusTotal feature. This bug required not only enabling that feature, but also being on a Mac using Spotify. A patch was released August 10th. Kudos to Carbon Black for reaching out to potentially impacted customers and taking the possible PR hit versus keeping this undisclosed.

Read more in:

KrebsOnSecurity: Carbon Emissions: Oversharing Bug Puts Security Vendor Back in Spotlight https://krebsonsecurity.com/2017/08/carbon-emissions-oversharing-bug-puts-security-vendor-back-in-spotlight/
Cyberscoop: Newly uncovered Carbon Black bug may have mistakenly sent files to VirusTotal https://www.cyberscoop.com/carbon-black-virus-total-cb-response/?category_news=technology

Los Angeles Cyber Lab Will Share Cyber Security Info with Area Businesses (August 17,2017)

The city of Los Angeles, California, partnering with Cisco, has launched the Los Angeles Cyber Lab, which will allow Los Angeles's city government to share with local businesses information it uses to keep its systems secure. The Los Angeles Cyber Lab focuses on "facilitating and promoting innovation, education, and information sharing between Los Angeles' public and private sectors." The information comes from the Los Angeles Integrated Security Operations Center.

[Editor Comments]

[Neely] This free offering will aid small business who don't have the budget for cyber/ threat intelligence. Small businesses are also better positioned to get their arms around the trust/NDA agreements necessary to fully leverage the service.

Read more in:

GovTech: Los Angeles Launches Cybersecurity Lab to Aid Local Businesses http://www.govtech.com/security/Los-Angeles-Launches-Cybersecurity-Lab-to-Aid-Local-Businesses.html
LA Cyber Lab: Cyber Security Tools and Education for L.A. Businesses https://www.lacyberlab.org/

INTERNET STORM CENTER TECH CORNER

EngineBox Banking Malware

https://isc.sans.edu/forums/diary/EngineBox+Malware+Supports+10+Brazilian+Banks/22736/

It's Not An Invoice

https://isc.sans.edu/forums/diary/Its+Not+An+Invoice/22738/

iOS Secure Enclave Key Posted

https://www.theiphonewiki.com/wiki/Greensburg_14G60_%28iPhone6,1%29

Vulnerabilities in FoxIT PDF Reader

https://www.thezdi.com/blog/2017/8/17/busting-myths-in-foxit-reader

Hackers Scam $ 500,000 From Enigma Digital Currency Investors

http://www.theregister.co.uk/2017/08/21/enigma_digital_currency_investors_scammed/

Bitcoin Privacy Threats

https://arxiv.org/abs/1708.04748

$500 iPhone PIN Brute Forcing Box

https://www.youtube.com/watch?v=IXglwbyMydM

SyncCrypt Bypasses Antivirus Filters with Images

https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/

***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create