Final Days to get an iPad Mini 4, a Galaxy Tab A, or Take $250 Off with Online Training - Register by 9/27!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #72

September 12, 2017

Equifax Hack Survival Kit:

  1. A SANS blog/template detailing exactly what security leaders can tell their people about the hack. https://securingthehuman.sans.org/blog/2017/09/08/awareness-officers-what-to-communicate-about-the-equifax-hack
  2. A SANS webcast Wednesday 9/13 at 3:30pm ET with latest updates and once again covering what security leadership can tell their people and organization. https://www.sans.org/webcasts/about-equifax-hack-105880
  3. Brian Krebs' guide to applying a security freeze so no one can access your credit scores. That stops most lenders from giving credit to imposters, and does the most to protect you. Unfortunately, few people know about it. https://krebsonsecurity.com/2015/06/how-i-learned-to-stop-worrying-and-embrace-the-security-freeze/

Alan

TOP OF THE NEWS


Legislators Call for Equifax Hearings and Investigations
Virginia Election Board Elects to Decertify eVoting Machines That Do Not Provide Receipts
Bossert Says Offensive Cyber Attack Not a Deterrent

THE REST OF THE WEEK'S NEWS


Class Action Lawsuits Filed Against Equifax
Unprotected Admin Accounts Contributed to Recent MongoDB Attacks
DolphinAttack Makes Digital Devices Respond to Inaudible Voice Commands
Chrome 63 Will Warn of Man-in-the-Middle Attacks
Google to Rescind Chrome's Trust in Symantec Certificates
Brookings Event Focused on National Security Concerns in Elections
GSA Bug Bounty Program
Medical Infusion Pump Vulnerabilities
Flaws in German Voting Software Could Be Exploited to Alter Vote Counts

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Sophos Inc. **********************

A new era of endpoint protection - Sophos Intercept X ushers in a new era of endpoint protection for modern threats. It features signatureless anti-exploit, anti-ransomware, and anti-hacker technology, plus visual rootcause analysis and advanced malware cleanup. What are you waiting for? Try it free today: http://www.sans.org/info/198225

***************************************************************************

TRAINING UPDATE

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS OnDemand and vLive Training | Get a GIAC Certification Attempt or $350 Off your OnDemand or vLive course when you register by September 13! https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

*****************************************************************************

TOP OF THE NEWS

Legislators Call for Equifax Hearings and Investigations (September 8 & 11, 2017)

The US House Financial Services Committee announced last week that it will hold a hearing on the Equifax breach that compromised the personal information of as many as 143 million people. Senator Tammy Baldwin (D-Wisconsin) has asked the Senate Commerce Committee to schedule a hearing, and Representative Ted Lieu (D-California) has called for the House Judiciary Committee to launch an investigation as well.

[Editor Comments]

[Pescatore] We all know how this latest mega-breach will play out: CEO perp walk in front of Congress, some C-level firings, class action lawsuits, security consulting firms get revenue, yada yada. What is important is that CISOs take advantage of the publicity-driven window of opportunity to drive change and make real advances in security at their own companies or agencies - before management attention gets diverted by the next headline-driven distraction. Failure of application security, including possible failure to mitigate the Apache STRUTS vulnerabilities enabled the breach. Other failures in basic security hygiene obviously led to a time to detect of almost 2 months. Using high visibility failures as tailwinds to get management backing is a time-honored strategy in business and in security.

[Ranum] There is never so good a time to lock the barn door as when the horse is out. That way, the horse can't get its butt in the way.

Read more in:

The Hill: Week ahead: Lawmakers alarmed by Equifax breach http://thehill.com/policy/cybersecurity/349838-week-ahead-lawmakers-alarmed-by-equifax-breach
The Hill: House committee to hold hearing on Equifax data breach http://thehill.com/policy/finance/349823-gop-chairman-to-hold-hearing-on-equifax-data-breach
The Hill: Dem calls for Judiciary investigation into Equifax hack http://thehill.com/policy/349799-rep-calls-for-judiciary-investigation-into-equifax

Virginia Election Board Elects to Decertify eVoting Machines That Do Not Provide Receipts (September 8 & 11, 2017)

Virginia's three-member State Board of Elections has voted to decertify Direct Recording Electronic (DRE) touch-screen voting machines, which do not provide paper receipts. The board wants to replace the machines currently in use in time for the November 7, 2017 elections, less than two months away.

[Editor Comments]

[Williams] For years, manufacturers of electronic voting machines fought to keep their devices away from security researchers, arguing that audits would undermine security. Every e-voting machine available at DEFCON was hacked in the opening hours of the conference. None were left standing. Security through obscurity technically is security, but that argument falls short when we're talking about critical infrastructure.

[Pescatore] The companies that produce and sell insecure voting machines deserve the loss in revenue. States/localities that rushed to buy computerized election systems without considering security will also deservedly feel the pain - just the way hospitals feel the pain for buying the insecure medical machinery sold by that industry. The way elections are run in the US, however, do not lend themselves to market drive or bottom up approaches - I'd like to see Congressional review of DHS progress since January 2017 when they declared election systems to be Critical Infrastructure.

Read more in:

Reuters: Virginia halts use of voting machines considered vulnerable to hacking http://www.reuters.com/article/us-usa-cyber-election-virginia/virginia-halts-use-of-voting-machines-considered-vulnerable-to-hacking-idUSKCN1BJ2PY
The Register: Virginia scraps poke-to-vote machines hackers destroyed at DefCon http://www.theregister.co.uk/2017/09/11/virginia_to_scrap_touchscreen_voting_machines/
Washington Post: Virginia bans certain voting machines over hacking concerns https://www.washingtonpost.com/local/virginia-bans-certain-voting-machines-over-hacking-concerns/2017/09/08/8687ff4e-94da-11e7-8482-8dc9a7af29f9_story.html

Bossert Says Offensive Cyber Attack Not a Deterrent (September 8, 2017)

In his keynote address at the Intelligence & National Security Summit in Washington, DC last week, assistant to the president for homeland security and counterterrorism Tom Bossert told the audience, "There's very little reason to believe that an offensive cyberattack is going to have any deterrent effect on a cyber adversary." Former US intelligence officials do not agree with that position.

[Editor Comments]

[Murray] Refreshing! Economic, criminal, and political sanctions are likely to be more effective deterrents.

[Williams] As someone who's been there and has the tee shirt when it comes to offensive cyber operations, I agree with Bossert here 100%. Attribution is a key component of deterrence and we simply don't have solid attribution when it comes to cyber. Even if the adversary suffers as a result of a cyber attack, unless they know who attacked them it's not much of a deterrent against future action. Publicly announcing you perpetrated the attack isn't effective either. You are now tying the tools used to your activity (not smart) and allowing attribution elsewhere. Either that or you have to rely on one-off developed tools, dramatically increasing the cost of offensive operations.

Read more in:

Cyberscoop: Former officials buck White House adviser's comments about government hacking https://www.cyberscoop.com/tom-bossert-government-hacking/
*************************** SPONSORED LINKS *******************************
1) SANS analyst Jerry Shenk will reveal how he put Carbon Black's Cb Defense through simulated attacks to see what it detected and how it took action. Register: http://www.sans.org/info/198230
2) This presentation reviews the top twenty cyberattack classes for ICS, and describes how to use these attacks to evaluate ICS security programs. Register: http://www.sans.org/info/198235
3) Jake Williams shows how leveraging behavior-based indicators of compromise (BIOCs) can automate incident response to ensure your security workflow takes advantage of lessons learned. http://www.sans.org/info/198240
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Class Action Lawsuits Filed Against Equifax (September 8, 2017)

Following news of the Equifax breach, which compromised personal information of as many as 143 million people, two class action lawsuits have already been filed against the company: one in Georgia and one in Oregon.

Read more in:

Cyberscoop: Multiple class-action lawsuits filed in wake of Equifax breach https://www.cyberscoop.com/equifax-lawsuit-class-action-data-breach/
The Register: Surprising nobody, lawyers line up to sue the crap out of Equifax http://www.theregister.co.uk/2017/09/08/lawyers_line_up_to_sue_equifax/
Reg Media: Oregon complaint https://regmedia.co.uk/2017/09/08/equifaxoregoncomplaint.pdf
Reg media: North Georgia Complaint: https://regmedia.co.uk/2017/09/08/equifaxgeorgiasuit.pdf

Unprotected Admin Accounts Contributed to Recent MongoDB Attacks (September 11, 2017)

According to MongoDB's Senior Director of Product Security, the ransomware attacks that recently targeted MongoDB databases were successful because administrator account passwords had not been set. MongoDB plans to strengthen security policies in the upcoming MongoDB 3.6.0 release.

Read more in:

Bleeping Computer: Admin Accounts With No Passwords at the Heart of Recent MongoDB Ransom Attacks https://www.bleepingcomputer.com/news/security/admin-accounts-with-no-passwords-at-the-heart-of-recent-mongodb-ransom-attacks/

DolphinAttack Makes Digital Devices Respond to Inaudible Voice Commands (September 11, 2017)

Many digital devices are capable of responding to voice controls. Researchers at Zhejiang University in China have developed DolphinAttack, which uses ultrasonic messages to communicate with and take control of digital devices. The researchers used DolphinAttack in several proof-of-concept demonstrations, "activating Siri to initiate a FaceTime call on iPhone, activating Google Now to switch the phone to the airplane mode, and even manipulating the navigation system in an Audi automobile."

Read more in:

Technology Review: Secret Ultrasonic Commands Can Control Your Smartphone, Say Researchers https://www.technologyreview.com/s/608825/secret-ultrasonic-commands-can-control-your-smartphone-say-researchers/
Arxiv: DolphinAttack: Inaudible Voice Commands https://arxiv.org/abs/1708.09537

Chrome 63 Will Warn of Man-in-the-Middle Attacks (September 10 & 11, 2017)

When Google releases Chrome 63 in December, 2017, the browser will include a feature that warns users if it detects a potential man-in-the-middle (MitM) attack. The warning screen will let users know if Chrome has detected software attempting to hijack the Internet connection. The warning will be triggered when the browser detects anomalously large numbers of failed SSL connections.

Read more in:

Bleeping Computer: Google Chrome Will Soon Warn You of Software That Performs MitM Attacks https://www.bleepingcomputer.com/news/security/google-chrome-will-soon-warn-you-of-software-that-performs-mitm-attacks/
V3: Google Chrome to provide 'man in the middle' attack warnings https://www.v3.co.uk/v3-uk/news/3017079/google-chrome-to-provide-man-in-the-middle-attack-warnings

Google to Rescind Chrome's Trust in Symantec Certificates (September 11 & 12, 2017)

When Google releases Chrome 66 in March 2018, the browser will no longer trust Symantec certificates issued prior to June 1, 2016. "Around the week of October 23, 2018, Chrome 70 will be released, which will fully remove trust in Symantec's old infrastructure and all of the certificates it has issued."

[Editor Comments]

[Northcutt] This is not corporate sniping, Chrome is demonstrating leadership where Symantec has failed badly and is turning over the business to DigiCert. This didn't happen overnight and the fix will be phased in as well:

https://arstechnica.com/information-technology/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/
https://www.symantec.com/about/newsroom/press-releases/2017/symantec_0802_01

Read more in:

The Register: Google to kill Symantec certs in Chrome 66, due in early 2018 http://www.theregister.co.uk/2017/09/12/chrome_66_to_reject_symantec_certs/
Google Blog: Chrome's Plan to Distrust Symantec Certificates https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html#

Brookings Event Focused on National Security Concerns in Elections (September 8, 2017)

Speaking on a panel at a Brookings Institution event on September 8, Alex Halderman said he has little confidence in the security of electronic voting equipment widely used across the US. Halderman, who is director of the University of Michigan's Center for Computer Security and Society, says there should be less reliance on technology in elections, and that "what we need is a system that relies on physical fail-safes." Other panelists included John R. Allen, Susan Hennessey, and Dean Logan.

[Editor Comments]

[Murray] We are now able to optically scan and count paper ballots fast enough that it is not necessary to rely on other recording mechanisms. However, election fraud is far more often in the counting and reporting than in the recording. We need less focus on the recording of votes and more on ensuring that only and all valid ballots are counted.

Read more in:

Brookings: National security imperative of addressing foreign cyber interference in U.S. elections https://www.brookings.edu/events/national-security-imperative-of-addressing-foreign-cyber-interference-in-u-s-elections/
GCN: Stronger election security with less technology https://gcn.com/articles/2017/09/11/election-security.aspx?admgarea=TC_SecCybersSec

GSA Bug Bounty Program (September 9, 2017)

The US General Services Administration has announced that it will launch a bug bounty program. It is the first civilian federal agency to do so. The program will operate under GSA's Technology Transformation Service (TTS). The program will be limited to certain TTS services.

[Editor Comments]

[Pescatore] This will be assess how well GSA can manage the process. The initial software target is the GSA Federalist web page tool that is currently in use at about 80 simple US Government web pages using Jekyll-based templates.

Read more in:

Fifth Domain: GSA offers bounty for computer bugs https://www.fifthdomain.com/civilian/2017/09/08/gsa-offers-bounty-for-computer-bugs/
HackerOne: TTS Bug Bounty: The First Civilian Agency Public Bug Bounty Program https://hackerone.com/tts

Medical Infusion Pump Vulnerabilities (September 7 & 8, 2017)

According to an advisory from the US Department of Homeland Security Industrial Control System Cyber Emergency Response Team (DHS ICS-CERT), vulnerabilities in certain Smiths Medical wireless infusion pumps could be exploited to gain access to the devices and take control of their operations. Smiths Medical plans to release a software update to address the problems in January 2018. The company has suggested several mitigations until the update is available.

[Editor Comments]

[Murray] Bad design is bad and should be remedied. All appliances should be sufficiently robust and resistant to interference for their intended application and environment. While these digital devices may be marginally more vulnerable to malicious interference than the analog devices that they displace, they are also more effective and efficient. We should take care not to raise disproportionate alarm.

Read more in:

RAPS: DHS Warns of 8 Cybersecurity Vulnerabilities in Smiths Medical Wireless Infusion Pumps http://raps.org/Regulatory-Focus/News/2017/09/08/28438/DHS-Warns-of-8-Cybersecurity-Vulnerabilities-in-Smiths-Medical-Wireless-Infusion-Pumps/
Smiths: Medfusion 4000 Cyber Security Statement https://www.smiths-medical.com/company-information/news-and-events/news/2017/september/7/cyber-security-medfusion-4000
ICS-CERT: Smiths Medical Medfusion 4000 Wireless Syringe Infusion Pump Vulnerabilities https://ics-cert.us-cert.gov/advisories/ICSMA-17-250-02

Flaws in German Voting Software Could Be Exploited to Alter Vote Counts (September 7, 2017)

The Chaos Computing Club (CCC) hacking collective has found a way to alter ballot counts in electronic voting systems. CCC examined voting software used in electronic voting systems in Germany. CCC managed to take control of the server that provides updates to the PC-Wahl voting software and insert code that manipulates the vote tallies.

[Editor Comments]

[Murray] One would expect controls that deny the CCC access to such sensitive servers. That said, the absence of such controls in the counting steps is a greater problem than in the recording steps

Read more in:

Daily Beast: Hacking Collective Finds Flaw That Allows Tampering With Election Vote Counts http://www.thedailybeast.com/hacking-collective-finds-flaw-that-allows-tampering-with-election-vote-counts

INTERNET STORM CENTER TECH CORNER

Analyzing JPEG Files

https://isc.sans.edu/forums/diary/Analyzing+JPEG+files/22806/

Auditing Windows with WINspect

https://isc.sans.edu/forums/diary/Windows+Auditing+with+WINspect/22810/

Windows PSSetLoadImageNotifyRoutine Vulnerability

https://breakingmalware.com/documentation/windows-pssetloadimagenotifyroutine-callbacks-good-bad-unclear-part-1/

IOTA Cryptocurrency Vulnerable Hash Function

https://medium.com/@neha/cryptographic-vulnerabilities-in-iota-9a6a9ddc4367

Cisco Struts Updates

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Google Chrome Warning Users of Anti-Malware SSL Interception

https://twitter.com/sashaperigo/status/906263091624591360

Machine Learning To Identify Malicious TLS Connections

https://arxiv.org/pdf/1607.01639.pdf

Comodo Breaking CAA Standard

https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg08027.html

***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create