Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #72

September 12, 2017

Equifax Hack Survival Kit:

  1. A SANS blog/template detailing exactly what security leaders can tell their people about the hack.
  2. A SANS webcast Wednesday 9/13 at 3:30pm ET with latest updates and once again covering what security leadership can tell their people and organization.
  3. Brian Krebs' guide to applying a security freeze so no one can access your credit scores. That stops most lenders from giving credit to imposters, and does the most to protect you. Unfortunately, few people know about it.



Legislators Call for Equifax Hearings and Investigations
Virginia Election Board Elects to Decertify eVoting Machines That Do Not Provide Receipts
Bossert Says Offensive Cyber Attack Not a Deterrent


Class Action Lawsuits Filed Against Equifax
Unprotected Admin Accounts Contributed to Recent MongoDB Attacks
DolphinAttack Makes Digital Devices Respond to Inaudible Voice Commands
Chrome 63 Will Warn of Man-in-the-Middle Attacks
Google to Rescind Chrome's Trust in Symantec Certificates
Brookings Event Focused on National Security Concerns in Elections
GSA Bug Bounty Program
Medical Infusion Pump Vulnerabilities
Flaws in German Voting Software Could Be Exploited to Alter Vote Counts


*************************** Sponsored By Sophos Inc. **********************

A new era of endpoint protection - Sophos Intercept X ushers in a new era of endpoint protection for modern threats. It features signatureless anti-exploit, anti-ransomware, and anti-hacker technology, plus visual rootcause analysis and advanced malware cleanup. What are you waiting for? Try it free today:



-- SANS London September 2017 | September 25-30 |

-- SANS Baltimore Fall 2017 | September 25-30 |

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 |

-- SANS October Singapore 2017 | October 9-28 |

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 |

-- SANS Brussels Autumn 2017 | October 16-21 |

-- SANS Tokyo Autumn 2017 | October 16-28 |

-- SANS San Diego 2017 | October 30-November 4 |

-- SANS Cyber Defense Initiative ® 2017 | Washington, DC | December 12-19 |

-- SANS OnDemand and vLive Training | Get a GIAC Certification Attempt or $350 Off your OnDemand or vLive course when you register by September 13!

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive -

-- Anywhere, Anytime access for 4 months with OnDemand format -

-- Single Course Training
SANS Mentor
Community SANS
View the full SANS course catalog



Legislators Call for Equifax Hearings and Investigations (September 8 & 11, 2017)

The US House Financial Services Committee announced last week that it will hold a hearing on the Equifax breach that compromised the personal information of as many as 143 million people. Senator Tammy Baldwin (D-Wisconsin) has asked the Senate Commerce Committee to schedule a hearing, and Representative Ted Lieu (D-California) has called for the House Judiciary Committee to launch an investigation as well.

[Editor Comments]

[Pescatore] We all know how this latest mega-breach will play out: CEO perp walk in front of Congress, some C-level firings, class action lawsuits, security consulting firms get revenue, yada yada. What is important is that CISOs take advantage of the publicity-driven window of opportunity to drive change and make real advances in security at their own companies or agencies - before management attention gets diverted by the next headline-driven distraction. Failure of application security, including possible failure to mitigate the Apache STRUTS vulnerabilities enabled the breach. Other failures in basic security hygiene obviously led to a time to detect of almost 2 months. Using high visibility failures as tailwinds to get management backing is a time-honored strategy in business and in security.

[Ranum] There is never so good a time to lock the barn door as when the horse is out. That way, the horse can't get its butt in the way.

Read more in:

The Hill: Week ahead: Lawmakers alarmed by Equifax breach
The Hill: House committee to hold hearing on Equifax data breach
The Hill: Dem calls for Judiciary investigation into Equifax hack

Virginia Election Board Elects to Decertify eVoting Machines That Do Not Provide Receipts (September 8 & 11, 2017)

Virginia's three-member State Board of Elections has voted to decertify Direct Recording Electronic (DRE) touch-screen voting machines, which do not provide paper receipts. The board wants to replace the machines currently in use in time for the November 7, 2017 elections, less than two months away.

[Editor Comments]

[Williams] For years, manufacturers of electronic voting machines fought to keep their devices away from security researchers, arguing that audits would undermine security. Every e-voting machine available at DEFCON was hacked in the opening hours of the conference. None were left standing. Security through obscurity technically is security, but that argument falls short when we're talking about critical infrastructure.

[Pescatore] The companies that produce and sell insecure voting machines deserve the loss in revenue. States/localities that rushed to buy computerized election systems without considering security will also deservedly feel the pain - just the way hospitals feel the pain for buying the insecure medical machinery sold by that industry. The way elections are run in the US, however, do not lend themselves to market drive or bottom up approaches - I'd like to see Congressional review of DHS progress since January 2017 when they declared election systems to be Critical Infrastructure.

Read more in:

Reuters: Virginia halts use of voting machines considered vulnerable to hacking
The Register: Virginia scraps poke-to-vote machines hackers destroyed at DefCon
Washington Post: Virginia bans certain voting machines over hacking concerns

Bossert Says Offensive Cyber Attack Not a Deterrent (September 8, 2017)

In his keynote address at the Intelligence & National Security Summit in Washington, DC last week, assistant to the president for homeland security and counterterrorism Tom Bossert told the audience, "There's very little reason to believe that an offensive cyberattack is going to have any deterrent effect on a cyber adversary." Former US intelligence officials do not agree with that position.

[Editor Comments]

[Murray] Refreshing! Economic, criminal, and political sanctions are likely to be more effective deterrents.

[Williams] As someone who's been there and has the tee shirt when it comes to offensive cyber operations, I agree with Bossert here 100%. Attribution is a key component of deterrence and we simply don't have solid attribution when it comes to cyber. Even if the adversary suffers as a result of a cyber attack, unless they know who attacked them it's not much of a deterrent against future action. Publicly announcing you perpetrated the attack isn't effective either. You are now tying the tools used to your activity (not smart) and allowing attribution elsewhere. Either that or you have to rely on one-off developed tools, dramatically increasing the cost of offensive operations.

Read more in:

Cyberscoop: Former officials buck White House adviser's comments about government hacking
*************************** SPONSORED LINKS *******************************
1) SANS analyst Jerry Shenk will reveal how he put Carbon Black's Cb Defense through simulated attacks to see what it detected and how it took action. Register:
2) This presentation reviews the top twenty cyberattack classes for ICS, and describes how to use these attacks to evaluate ICS security programs. Register:
3) Jake Williams shows how leveraging behavior-based indicators of compromise (BIOCs) can automate incident response to ensure your security workflow takes advantage of lessons learned.


Class Action Lawsuits Filed Against Equifax (September 8, 2017)

Following news of the Equifax breach, which compromised personal information of as many as 143 million people, two class action lawsuits have already been filed against the company: one in Georgia and one in Oregon.

Read more in:

Cyberscoop: Multiple class-action lawsuits filed in wake of Equifax breach
The Register: Surprising nobody, lawyers line up to sue the crap out of Equifax
Reg Media: Oregon complaint
Reg media: North Georgia Complaint:

Unprotected Admin Accounts Contributed to Recent MongoDB Attacks (September 11, 2017)

According to MongoDB's Senior Director of Product Security, the ransomware attacks that recently targeted MongoDB databases were successful because administrator account passwords had not been set. MongoDB plans to strengthen security policies in the upcoming MongoDB 3.6.0 release.

Read more in:

Bleeping Computer: Admin Accounts With No Passwords at the Heart of Recent MongoDB Ransom Attacks

DolphinAttack Makes Digital Devices Respond to Inaudible Voice Commands (September 11, 2017)

Many digital devices are capable of responding to voice controls. Researchers at Zhejiang University in China have developed DolphinAttack, which uses ultrasonic messages to communicate with and take control of digital devices. The researchers used DolphinAttack in several proof-of-concept demonstrations, "activating Siri to initiate a FaceTime call on iPhone, activating Google Now to switch the phone to the airplane mode, and even manipulating the navigation system in an Audi automobile."

Read more in:

Technology Review: Secret Ultrasonic Commands Can Control Your Smartphone, Say Researchers
Arxiv: DolphinAttack: Inaudible Voice Commands

Chrome 63 Will Warn of Man-in-the-Middle Attacks (September 10 & 11, 2017)

When Google releases Chrome 63 in December, 2017, the browser will include a feature that warns users if it detects a potential man-in-the-middle (MitM) attack. The warning screen will let users know if Chrome has detected software attempting to hijack the Internet connection. The warning will be triggered when the browser detects anomalously large numbers of failed SSL connections.

Read more in:

Bleeping Computer: Google Chrome Will Soon Warn You of Software That Performs MitM Attacks
V3: Google Chrome to provide 'man in the middle' attack warnings

Google to Rescind Chrome's Trust in Symantec Certificates (September 11 & 12, 2017)

When Google releases Chrome 66 in March 2018, the browser will no longer trust Symantec certificates issued prior to June 1, 2016. "Around the week of October 23, 2018, Chrome 70 will be released, which will fully remove trust in Symantec's old infrastructure and all of the certificates it has issued."

[Editor Comments]

[Northcutt] This is not corporate sniping, Chrome is demonstrating leadership where Symantec has failed badly and is turning over the business to DigiCert. This didn't happen overnight and the fix will be phased in as well:

Read more in:

The Register: Google to kill Symantec certs in Chrome 66, due in early 2018
Google Blog: Chrome's Plan to Distrust Symantec Certificates

Brookings Event Focused on National Security Concerns in Elections (September 8, 2017)

Speaking on a panel at a Brookings Institution event on September 8, Alex Halderman said he has little confidence in the security of electronic voting equipment widely used across the US. Halderman, who is director of the University of Michigan's Center for Computer Security and Society, says there should be less reliance on technology in elections, and that "what we need is a system that relies on physical fail-safes." Other panelists included John R. Allen, Susan Hennessey, and Dean Logan.

[Editor Comments]

[Murray] We are now able to optically scan and count paper ballots fast enough that it is not necessary to rely on other recording mechanisms. However, election fraud is far more often in the counting and reporting than in the recording. We need less focus on the recording of votes and more on ensuring that only and all valid ballots are counted.

Read more in:

Brookings: National security imperative of addressing foreign cyber interference in U.S. elections
GCN: Stronger election security with less technology

GSA Bug Bounty Program (September 9, 2017)

The US General Services Administration has announced that it will launch a bug bounty program. It is the first civilian federal agency to do so. The program will operate under GSA's Technology Transformation Service (TTS). The program will be limited to certain TTS services.

[Editor Comments]

[Pescatore] This will be assess how well GSA can manage the process. The initial software target is the GSA Federalist web page tool that is currently in use at about 80 simple US Government web pages using Jekyll-based templates.

Read more in:

Fifth Domain: GSA offers bounty for computer bugs
HackerOne: TTS Bug Bounty: The First Civilian Agency Public Bug Bounty Program

Medical Infusion Pump Vulnerabilities (September 7 & 8, 2017)

According to an advisory from the US Department of Homeland Security Industrial Control System Cyber Emergency Response Team (DHS ICS-CERT), vulnerabilities in certain Smiths Medical wireless infusion pumps could be exploited to gain access to the devices and take control of their operations. Smiths Medical plans to release a software update to address the problems in January 2018. The company has suggested several mitigations until the update is available.

[Editor Comments]

[Murray] Bad design is bad and should be remedied. All appliances should be sufficiently robust and resistant to interference for their intended application and environment. While these digital devices may be marginally more vulnerable to malicious interference than the analog devices that they displace, they are also more effective and efficient. We should take care not to raise disproportionate alarm.

Read more in:

RAPS: DHS Warns of 8 Cybersecurity Vulnerabilities in Smiths Medical Wireless Infusion Pumps
Smiths: Medfusion 4000 Cyber Security Statement
ICS-CERT: Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities

Flaws in German Voting Software Could Be Exploited to Alter Vote Counts (September 7, 2017)

The Chaos Computing Club (CCC) hacking collective has found a way to alter ballot counts in electronic voting systems. CCC examined voting software used in electronic voting systems in Germany. CCC managed to take control of the server that provides updates to the PC-Wahl voting software and insert code that manipulates the vote tallies.

[Editor Comments]

[Murray] One would expect controls that deny the CCC access to such sensitive servers. That said, the absence of such controls in the counting steps is a greater problem than in the recording steps

Read more in:

Daily Beast: Hacking Collective Finds Flaw That Allows Tampering With Election Vote Counts


Analyzing JPEG Files

Auditing Windows with WINspect

Windows PSSetLoadImageNotifyRoutine Vulnerability

IOTA Cryptocurrency Vulnerable Hash Function

Cisco Struts Updates

Google Chrome Warning Users of Anti-Malware SSL Interception

Machine Learning To Identify Malicious TLS Connections

Comodo Breaking CAA Standard

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here:

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit