Cyber Skills Training at SANS Southern California- Anaheim 2018. Save $400 thru 12/20.

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #78

October 3, 2017

TOP OF THE NEWS


Equifax CEO to Appear Before House Committee
Bill Would Have Pentagon Assess Power Grid Attack Risks to US Military
Google to Offer Advanced Gmail Account Protection

THE REST OF THE WEEK'S NEWS


Equifax Breach Was Likely the Work of State-Sponsored Hackers
HP Enterprise Let Russian Company Examine ArcSight Source Code
Android October Security Updates
Netgear Issues Fixes
USPS Informed Delivery Uses Weak Authentication
2016 SEC Breach Compromised Personal Information of Two People
US States Criticize DHS Info on Russian Hacking
Some Macs Not Getting EFI Firmware Updates

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Splunk *******************************

Making Machine Data Useful and Secure with Splunk. Organizations must use every available resource to protect against the latest cyberattacks, the persistent nature of advanced threats, and the ease with which malware can cripple an entire network. One of the most important and often overlooked resources we can tap into is machine data. Download this e-book to hear how three companies are leveraging machine data to protect themselves against the latest cyberthreats. http://www.sans.org/info/198625

***************************************************************************

TRAINING UPDATE

-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 | https://www.sans.org/event/pen-test-hackfest-2017

-- SANS Sydney 2017 | November 13-25 | https://www.sans.org/event/sydney-2017

-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017

-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017

-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017

-- SANS OnDemand and vLive Training | SANS Online Training - Get an iPad, a Samsung Galaxy Tab A or take $250 Off with OnDemand or vLive training through October 11. The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

--Equifax CEO to Appear Before House Committee
(September 29 & October 3, 2017)

Former Equifax CEO Richard F. Smith is scheduled to appear before the US House Committee on Energy and Commerce Subcommittee of Digital Commerce and Consumer Protection on Tuesday, October 3, 2017. In his prepared testimony, Smith outlines the series of errors that led to the breach, including the company's failure to patch systems against the Apache Struts vulnerability earlier this year.

[Editor Comments]
[Pescatore] Whenever I drive by a car crash I try to embed that image in my brain as a form of subliminal stimulus for the next time I'm deciding to make a left turn across traffic or tempted to look at a text message while driving. The Equifax "wreck" should be used for that - and for (1) ammunition in driving change in IT operations in basic configuration and vulnerability management hygiene: (2) lessons learned in why mitigation must be applied until (1) happens; and (3) why continuous monitoring of critical systems is a must, especially when (1) and (2) haven't happened.
[Murray] Like the government, the credit bureaus have been entrusted with more information than they are capable of protecting. We need to transfer the responsibility for accuracy from the subject of the information to those trading in it. It would make them liable for damages resulting from negligence on their part.
[Honan] The sequence of events that led to the security breach highlight a combination of technical and human errors. Do read the reports and apply the lessons learnt from them to your own environment. What I would like to learn more about the breach is why did the vulnerability tool Equifax use not detect the Apache Struts vulnerability and how can we all adjust our tools and processes to ensure we don't suffer the same fate.

Read more in:
Ars Technica: A series of delays and major errors led to massive Equifax breach
https://arstechnica.com/information-technology/2017/10/a-series-of-delays-and-major-errors-led-to-massive-equifax-breach/
CNET: Equifax ex-CEO: Here's what went wrong
https://www.cnet.com/news/equifax-ceo-data-breach-heres-what-went-wrong/
House: Prepared Testimony of Richard F. Smith before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection (PDF)
http://docs.house.gov/meetings/IF/IF17/20171003/106455/HHRG-115-IF17-Wstate-SmithR-20171003.pdf

--Bill Would Have Pentagon Assess Power Grid Attack Risks to US Military
(September 29 & October 2, 2017)

A bill introduced in the US House of Representatives would require the Pentagon, along with the Department of Homeland Security (DHS), the Department of Energy (DoE), and the Director of National Intelligence to produce a report identifying security risks to the country's electrical grid and the effect an attack on the grid would have on the military. The Securing the Electric Grid to Protect Military Readiness Act of 2017 requires that the report also address the effects of isolating the military's infrastructure from the power grid and offer suggestions for overall risk mitigation.

[Editor Comments]
[Assante] The Department of Defense, like any modern enterprise, depends on reliable electricity being provided by a power grid. (The Department has been pursuing goals that include on-installation power generation to supplement their electricity demands, but the dependency will remain for decades to come.) Like roads in the nineteen forties, electricity is an essential infrastructure for war fighting and defense. Understanding the consequences flowing from an electric system attack is necessary to avoid surprise and prudent for planning. Not having a good plan for how to fight through and defend against power system attacks would be irresponsible and risky in today's world.

Read more in:
FCW: What should the military do when the lights go out?
https://fcw.com/articles/2017/10/02/grid-protection-bill-johnson.aspx
The Hill: Bill would require Pentagon to assess security risks to electric grid
http://thehill.com/policy/cybersecurity/353109-bill-would-require-pentagon-to-assess-security-risks-to-electric-grid
Congress: H.R.3855 - Securing the Electric Grid to Protect Military Readiness Act of 2017
https://www.congress.gov/bill/115th-congress/house-bill/3855/text

--Google to Offer Advanced Gmail Account Protection
(October 2, 2017)

Google plans to introduce an enhanced email protection program, which will be marketed to high profile individuals. The Advanced Protection Program aims to help prevent phishing attacks like those that let to the exposure of the US Democratic National Committee (DNC) databases. An attacker would be unable to access an account without being in possession of a physical USB key.

[Editor Comments]
[Pescatore/Honan] This is continuing a trend where home users are more secure on their personal systems than they are on their Windows PCs at work. FIDO certified Secure Keys with USB and Near Field Communication interfaces are widely available, covering PCs and Android mobile devices. When more start coming out with Bluetooth and working with IOS devices, prices will start to drop. Since we know that "high profile individuals" include everyone with access privileges, it is very much time to make this leap away from reusable passwords. If you can't attack the general employee population, start with IT and IT security admins.
[Williams] Google is making the right choice here to add this service. A number of people (myself included) use Gmail because of the ease of use and great functionality. But the global accessibility of Gmail is a concern for many users. The only downside to this service is that it will remove support for 3rd party applications, but disruption should be minimal for most users. This strikes a balance between usability and security, one that I'll definitely be taking advantage of.
[Neely] Strong authentication with a physical key coupled with Google's enhanced anti-phishing/anti-malware protections are raising the bar for ISP provided email. They are not only validating the user, but also validating the web site as genuine. Note: this will break if you're using SSL Inspection. These technical controls, while a needed step in the right direction, still need augmentation by appropriate user awareness training.
[Northcutt] All the articles on this topic appear to be based on this one from Bloomberg:
https://www.bloomberg.com/news/articles/2017-09-29/google-is-said-to-retool-user-security-in-wake-of-political-hack
Read more in:
ZDNet: Google's new Gmail security: If you're a high-value target, you'll use physical keys
http://www.zdnet.com/article/googles-new-gmail-security-if-youre-a-high-value-target-youll-use-physical-keys/

*************************** SPONSORED LINKS ********************************

1) Learn how to protect your applications from DDoS attacks, bots, and data compromise through layered defense.
CTA: Download the free guide http://www.sans.org/info/198630

2) In case you missed it: "Accurate behavior analysis enables detection and of malicious insiders, outsiders and IoT device" Register: http://www.sans.org/info/198635

3) Learn how to use cost models to produce credible cost analyses you can use to help guide your own appsec decisions. http://www.sans.org/info/198640

******************************************************************************

THE REST OF THE WEEK'S NEWS

--Equifax Breach Was Likely the Work of State-Sponsored Hackers
(September 29, 2017)

Bloomberg offers a detailed account of what is currently known about the Equifax breach. Investigators say that the techniques used in the Equifax breach suggest that state-sponsored hackers were involved. While the attack bears certain similarities to those launched against systems at Anthem and the US Office of Personnel Management (OPM), both of which have been attributed too hacking groups with ties to Chinese intelligence, investigators are reluctant to pin the Equifax breach on China.

[Editor Comments]
[Williams] This is irresponsible reporting. One of the big pieces of "evidence" cited is the apparent "team handoff" that occurred once the breach began. They cite that an entry team performed the initial exploit but then handed off to another more skilled group. But this is opposite of the way many groups work, where the entry teams are typically the most skilled and hand off to lesser skilled operations teams once inside the network. While it may have been a nation state attacker, the evidence is far from conclusive.
Read more in:
Bloomberg: The Equifax Hack Has the Hallmarks of State-Sponsored Pros
https://www.bloomberg.com/news/features/2017-09-29/the-equifax-hack-has-all-the-hallmarks-of-state-sponsored-pros

--HP Enterprise Let Russian Company Examine ArcSight Source Code
(October 2, 2017)

In an effort to gain approval to sell its ArcSight software to the public sector in Russia, Hewlett Packard Enterprise allowed Echelon, a Russian company with ties to the country's military, to examine the product's source code. ArcSight is cyber defense software used across systems in the US military to provide real time alerts in the event of cyber attacks. Echelon's president said that while he is required to report discovered vulnerabilities to the government, he must first inform the developer and obtain their permission to disclose the flaws.
[Editor Comments]
[Pescatore ] Huawei allows the UK government to inspect its source code. Kaspersky Labs volunteered to provide source code to the US government. Not to mention that managed bug bounty programs continue to find vulnerabilities in software *without needing source code.* The US government needs to catch up to UK, Russia and China in requiring more of this; it's a necessary step forward in driving improvement in software security.
[Honan] Given the recent US government moves against Kaspersky software this should not come as a surprise to anyone.
Read more in:
Reuters: Special Report: HP Enterprise let Russia scrutinize cyberdefense system used by Pentagon
http://www.reuters.com/article/us-usa-cyber-russia-hpe-specialreport/special-report-hp-enterprise-let-russia-scrutinize-cyberdefense-system-used-by-pentagon-idUSKCN1C716M
Fifth Domain: Report: Company allowed Russia to review major Pentagon defense software
https://www.fifthdomain.com/dod/2017/10/02/report-company-allowed-russia-to-review-major-pentagon-defense-software/

--Android October Security Updates
(October 2 & 3, 2017)

Android's October security bulletin includes fixes for 14 vulnerabilities. Six of the flaws affect the Android media engine, and there are fixes for two critical flaws in the Android kernel. Android partners are notified of the security issues at least one month prior to the fix releases.
Read more in:
The Register: Patch your Android, peeps, it has up to 14 nasty flaws to flog
http://www.theregister.co.uk/2017/10/03/october_android_patches/
Android: Android Security Bulletin-October 2017
https://source.android.com/security/bulletin/2017-10-01#2017-10-05-details

--Netgear Issues Fixes
(October 2, 2017)

Netgear has released 50 patches to address security issues in its products, which include routers, switches, NAS devices, and wireless access points. Netgear posted advisories about the vulnerability fixes on its website at the end of September.
Read more in:
Threatpost: Netgear Fixes 50 Vulnerabilities in Routers, Switches, NAS Devices
https://threatpost.com/netgear-fixes-50-vulnerabilities-in-routers-switches-nas-devices/128230/
Netgear: NETGEAR Product Security
http://www.netgear.com/about/security/

--USPS Informed Delivery Uses Weak Authentication
(October 2, 2017)

The US Postal Service's (USPS's) Informed delivery service allows people who have signed up to view scanned images of each piece of mail before it is delivered to their mailbox. The service is currently available only in certain zip code areas and has approximately 6.3 million subscribers. However, the security the service uses is not particularly strong - four knowledge based authentication questions - leaving the service susceptible to misuse by people with questionable intentions.
Read more in:
KrebsOnSecurity: USPS 'Informed Delivery' Is Stalker's Dream
https://krebsonsecurity.com/2017/10/usps-informed-delivery-is-stalkers-dream/

--2016 SEC Breach Compromised Personal Information of Two People
(October 2, 2017)

US Security and Exchange Commission (SEC) chairman Jay Clayton has acknowledged that a 2016 breach of an agency database compromised personal information of two individuals. The SEC initially said that the breach of its EDGAR corporate filing system did not compromise any personal information.
Read more in:
Reuters: Private information of two people compromised in SEC hack: chairman
http://www.reuters.com/article/us-sec-cyber/private-information-of-two-people-compromised-in-sec-hack-chairman-idUSKCN1C721I
Nextgov: Two People's Information Compromised in SEC Data Breach
http://www.nextgov.com/cybersecurity/2017/10/only-two-peoples-information-compromised-sec-data-breach/141448/?oref=ng-channeltopstory
SEC: Chairman Clayton Provides Update on Review of 2016 Cyber Intrusion Involving EDGAR System
https://www.sec.gov/news/press-release/2017-186

--US States Criticize DHS Info on Russian Hacking
(September 28, 29, & October 2, 2017)

State election officials in California say that the US Department of Homeland Security (DHS) gave them "bad information" about Russia's attempts to hack election systems prior to the 2016 presidential election. Officials in Wisconsin also said that DHS provided conflicting information. DHS said that in some cases, hackers working on behalf of the Russian government scanned other state government systems looking for vulnerabilities they could exploit to gain access to elections systems later. In a related story, former Homeland Security Secretary Jeh Johnson told a congressional task force that the breaches of voter registration databases last year raised concerns of "a huge catastrophic attack."
[Editor Comments]
[Williams] If the information DHS provided to states is anything like that in the GRIZZLY STEPPE report, then states have a right to complain. One thing missing in the indicators is a temporal value for when the indicator was observed active. This is especially important for IP addresses that belong to cloud providers, such as Amazon. The attacker likely controlled that IP for a short time. But setting an IDS alert for that IP address, which may not belong to a legitimate service provider, can cause denial of service issues. Searching through historical netflow logs and finding connections to the IP address from times before the attacker controlled the IP cause false positives. DHS certainly must redact some data to protect sources and methods, but too much redaction makes the information effectively unusable.
Read more in:
The Hill: California: DHS gave 'bad information' on Russian hacking
http://thehill.com/policy/cybersecurity/352902-california-says-dhs-gave-bad-info-on-russian-targeting
Fifth Domain: DHS: Hackers targeted other systems to find election weak spots
https://www.fifthdomain.com/civilian/dhs/2017/09/28/homeland-security-clarifying-state-election-hacking-attempts/
FCW: Former DHS chief feared catastrophic attack on election systems
https://fcw.com/articles/2017/09/28/dhs-jeh-johnson-election-attack-forum.aspx
SC Magazine: DHS tells Calif., Wis., Russians targeted networks other than election systems
https://www.scmagazine.com/dhs-tells-calif-wis-russians-targeted-networks-other-than-election-systems/article/696520/
Cyberscoop: States want more from DHS after confusing update on 2016 election hacking activity
https://www.cyberscoop.com/dhs-election-hacking-state-information/?category_news=technology
Nextgov: State Election Officials Still Angry but Ready to Work with DHS
http://www.nextgov.com/cybersecurity/2017/10/state-election-officials-still-angry-ready-work-dhs/141443/?oref=ng-channelriver

--Some Macs Not Getting EFI Firmware Updates
(September 29 & 30, 2017)

According to a report from Duo Labs, some Macs running current versions of operating systems are not receiving the latest EFI (extensible firmware interface) firmware updates. Apple began bundling EFI updates with regular macOS updates in 2015. Duo drew its conclusion from analysis of telemetry data gathered from more than 73,000 Mac systems.
Read more in:
Bleeping Computer: Many Up-To-Date Macs Not Getting EFI Firmware Updates
https://www.bleepingcomputer.com/news/apple/many-up-to-date-macs-not-getting-efi-firmware-updates/
Threatpost: Macs Not Receiving EFI Firmware Security Updates as Expected
https://threatpost.com/macs-not-receiving-efi-firmware-security-updates-as-expected/128191/
Duo: Analyzing the Data, What Was Found?
https://duo.com/assets/ebooks/Duo-Labs-The-Apple-of-Your-EFI.pdf#page=26

INTERNET STORM CENTER TECH CORNER

Who's Borrowing Your Resources? Javascript Monero Miners on Video Sites

https://isc.sans.edu/forums/diary/Whos+Borrowing+your+Resources/22882/

Investigating Security Incidents with Passive DNS

https://isc.sans.edu/forums/diary/Investigating+Security+Incidents+with+Passive+DNS/22886/

Apple EFI Updates Often Not Applied

https://duo.com/blog/the-apple-of-your-efi-mac-firmware-security-research

OS X Silently Patches Javascript Quarantine Bypass

https://www.wearesegment.com/research/Mac-OS-X-Local-Javascript-Quarantine-Bypass.html

Bypassing Domain Authentication

https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c

DNSMasq Vulnerabilities

https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create