Get an 12.9" iPad Pro, Surface Pro or $400 Off Online Training - Only 2 Days Left!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #83

October 20, 2017

TOP OF THE NEWS


Bill Would Allow CFAA Exemptions for Defensive Cyber Activity
Google's Advanced Protection Program
Google Announces Bug Bounty Aimed at Finding Flaws in Android Apps

THE REST OF THE WEEK'S NEWS


Scanning for Private SSH Keys Increases
CERT Updates List of Risky Emerging Tech
FBI Recruitment Program
FBI Wants DDoS Data
NYPD Property and Evidence Database Has No Backups
Patching Against Krack Exploit
Lenovo Issues Patches for Flaws
Reuters: Microsoft Vulnerability Database Breached in 2013
Maritime Satellite Communication Security

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By SANS *******************************

Join the SANS Institute in Boston at the SOC Briefing for the Cybersecurity Community where vendors will present sessions demonstrating their tools and capabilities to support threat hunting, or incorporate the results of threat hunting. This half- day event is free to the Cybersecurity Community. Networking lunch following. Not in Boston? Attend via simulcast. More info at: http://www.sans.org/info/199010

***************************************************************************

TRAINING UPDATE

-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 | https://www.sans.org/event/pen-test-hackfest-2017

-- SANS Sydney 2017 | November 13-25 | https://www.sans.org/event/sydney-2017

-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017

-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017

-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS OnDemand and vLive Training | SANS Online Training - Get an iPad, a Samsung Galaxy Tab A or take $250 Off with OnDemand or vLive training through October 11. The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility
Live Daytime training with Simulcast - https://www.sans.org/simulcast
Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

--Bill Would Allow CFAA Exemptions for Defensive Cyber Activity
(October 18, 2017)

Two US legislators have introduced a bill that would allow organizations to access computers and networks without authorization if they are acting to find evidence for attribution of an attack, trying to stop an attack on their networks, to monitor attackers, or to retrieve or destroy stolen data. The bill would exempt the organizations from certain provisions of the Computer Fraud and Abuse Act (CFAA).

[Editor Comments]
[Henry] I believe the government's fundamental responsibility is to protect its citizens; I believe the private sector can assist the government by sharing valuable intelligence that would allow the government to do just that. Congress should be crafting legislation that encourages and enables the private sector to share that intelligence in a formalized and more effective way, so the government can use its capabilities and authorities to identify and mitigate threats. The proposed legislation, as described, is fraught with peril and will cause many more problems than it solves.
[Williams] The bill is not designed to help organizations stop an attack. It is designed to allow you to get attribution information for the FBI. As written, the FBI will have de-facto approval authority on all operations. The bill does not address civil liability or the legal implications if the target is in another country.
[Murray] This sounds like an invitation to mischief. We already have a problem with rogue hackers excusing their behavior as 'research.' "The road to hell is paved with good intentions." We all want to be judged by our motives while judging others by their behavior.
[Northcutt] I love the smell of cyberwar in the morning; that's where I think this leads. Attribution is a very hard problem. They call it a discussion draft for a very good reason; please take the time to read and comment.

Read more in:
eWeek: U.S Lawmakers File Bill to Enable Businesses to Pursue Cyber-Criminals
http://www.eweek.com/security/u.s-lawmakers-file-bill-to-enable-businesses-to-pursue-cyber-criminals
House.gov: Rep. Tom Graves Formally Introduces Active Cyber Defense Bill
https://tomgraves.house.gov/news/documentsingle.aspx?DocumentID=398840
House.gov: [Discussion Draft] Active Cyber Defense Certainty Act - 2.0
https://tomgraves.house.gov/uploadedfiles/discussion_draft_active_cyber_defense_certainty_act_2.0_rep._tom_graves_ga-14.pdf

--Google's Advanced Protection Program
(October 17 & 18, 2017)

Google has introduced its Advanced Protection Program, which "provides Google's strongest security, designed for those who are at an elevated risk of attack and are willing to trade off a bit of convenience for more protection of their personal Google Accounts." The program currently offers protection against phishing; protecting sensitive data from being accidentally shared; and blocking fraudulent account access. Users opting in to the program will need to purchase physical security keys.

[Editor Comments]
[Neely] Using USB security devices as part of a robust Multi-Factor-Authentication (MFA) program for those at elevated risk, is excellent - all user accounts should already be configured to use Google's two-factor authentication and/or application specific passwords.

Read more in:
Wired: Google's 'Advanced Protection' Locks Down Accounts Like Never Before
https://www.wired.com/story/google-advanced-protection-locks-down-accounts/
Cyberscoop: Google releases new email, browser security features to prevent common hacking issues
https://www.cyberscoop.com/google-releases-new-email-browser-security-features-prevent-common-hacking-issues/?category_news=technology
Motherboard: Google Just Made Gmail the Most Secure Email Provider on the Planet
https://motherboard.vice.com/en_us/article/kz74ym/google-gmail-advanced-protection-security-keys-yubikey
ZDNet: Google Chrome can now spot even brand new phishing pages
http://www.zdnet.com/article/google-chrome-can-now-spot-brand-new-phishing-pages/
Google: Google's strongest security, for those who need it most
https://www.blog.google/topics/safety-security/googles-strongest-security-those-who-need-it-most/

--Google Announces Bug Bounty Aimed at Finding Flaws in Android Apps
(October 19, 2017)

In an attempt to purge malware-infected apps from its Google Play Store, Google has announced a bug bounty to improve app security. The scope of the program is currently "limited to remote code execution vulnerabilities and corresponding proof-of-concepts that work on Android 4.4 devices and higher." The program is open to Android app developers.

[Editor Comments]
[Neely] Finding all the malware/malicious applications in the Google Play Store has been a challenge; a bug bounty program, properly executed, will go a long way towards finding remaining malfeasance. Google Play Protect, which is in Android 7.1.1, protects devices from identified problem apps. Users with other OS Versions have to rely on adding AV/Malware scanners, or look hard at upgrading.

Read more in:
Reuters: Google offers bug bounty to clean up mobile apps
http://www.reuters.com/article/us-alphabet-google-cyber-bounty/google-offers-bug-bounty-to-clean-up-mobile-apps-idUSKBN1CO2RI
Threatpost: Google Play Bounty Promises $1,000 Rewards for Flaws in Popular Apps
https://threatpost.com/google-play-bounty-promises-1000-rewards-for-flaws-in-popular-apps/128542/
Google: Google Play Security Reward Program Rules
https://www.google.com/about/appsecurity/play-rewards/
HackerOne: Google Play Security Reward Program
https://hackerone.com/googleplay

*************************** SPONSORED LINKS ********************************

1) Don't miss: "The Maturing of Endpoint Detection and Response (EDR): Choose the Right Solution" Register: http://www.sans.org/info/199015

2) Learn innovative techniques for detecting intrusions and producing actionable intelligence at the SIEM & Tactical Analytics Summit: http://www.sans.org/info/199020

3) In Case You Missed it: "The facts about KRACK and your WPA enabled WiFi network" with Larry Pesce. http://www.sans.org/info/199025

******************************************************************************

THE REST OF THE WEEK'S NEWS

--Scanning for Private SSH Keys Increases
(October 17 & 19, 2017)

A spike in scans for private SSH keys may be related to a recent report that noted "a widespread lack of SSH security controls." Website owners would be well-advised to make sure they have not inadvertently "uploaded their SSH private key on their public servers, or committed the SSH private key to Git or SVN repositories."

[Editor Comments]
[Neely] This started with WordPress and has spread. If you're using SSH keys to authenticate to your site, make sure you only put your public key on the site under your home directory, it's really easy to copy both the public and private keys by mistake. When you roll up your code for the repository, make sure your private key is not in the directory with the rest of your project.

Read more in:
Bleeping Computer: Attackers Start Scans for SSH Keys After Report on Lack of SSH Security Controls
https://www.bleepingcomputer.com/news/security/attackers-start-scans-for-ssh-keys-after-report-on-lack-of-ssh-security-controls/
Business Wire: Study: 61 Percent of Organizations Have Minimal Control of SSH Privileged Access
http://www.businesswire.com/news/home/20171017005080/en/Study-61-Percent-Organizations-Minimal-Control-SSH

--CERT Updates List of Risky Emerging Tech
(October 18 & 19, 2017)

The Emerging Technology Domains Risk Survey from the CERT Division of the Software Engineering Institute at Carnegie Mellon University includes an updated list of emerging technologies that could pose security and safety challenges. The technologies added to the list include blockchain, Intelligent Transportation Systems, IoT mesh networks, machine learning, robotic surgery, and smart buildings.

[Editor Comments]
[Honan] The lack of standards for vendors to adhere to in the software world, particularly in IoT, poses a significant risk to the security and privacy of individuals and society. To that end ENISA is researching the area of certification schemes for ICT, more details on this work is available at https://www.enisa.europa.eu/topics/standards/certification

Read more in:
ZDNet: CERT: These emerging technologies bring new risks
http://www.zdnet.com/article/emerging-technologies-bring-new-risks/
The Register: US-CERT study predicts machine learning, transport systems to become security risks
http://www.theregister.co.uk/2017/10/19/cert_cc_threat_survey/
Software Engineering Institute CMU: 2017 Emerging Technology Domains Risk Survey
https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=505311

--FBI Recruitment Program
(October 18, 2017)

Speaking at CyberTalks in Washington, DC, earlier this week, FBI deputy assistant director of the bureau's cybersecurity division, Howard Marshall, told an audience that "a significant portion of our agents and investigators that are not equipped, what you could probably call not tech-savvy." Marshall then described the FBI's pilot program in which agents are working to develop STEM programs in high schools with the goal of encouraging them to attend colleges and universities that sponsor the National Science Foundation's Scholarship for Service program, which guarantees them a job in the public sector when they graduate.

Read more in:
Cyberscoop: FBI's recruitment strategy for cybersecurity pros starts early, focuses on high school
https://www.cyberscoop.com/fbis-recruitment-strategy-cybersecurity-pros-starts-early-focuses-high-school/

--FBI Wants DDoS Data
(October 17 & 18, 2017)

The FBI wants organizations that have experienced distributed denial-of-service (DDoS) attacks to share information about those attacks with their local field offices. The FBI is asking for the traffic protocol the attackers used, ransom demands made, IP addresses used in the attack, netflow and packet capture logs, and any communication from the attackers. The request for the information was made in an FBI PSA about booter and stresser services.

Read more in:
Threatpost: FBI Asks Businesses to Share Details About DDoS Attacks
https://threatpost.com/fbi-asks-businesses-to-share-details-about-ddos-attacks/128523/
IC3: Booter and Stresser Services Increase the Scale and Frequency of Distributed Denial of Service Attacks
https://www.ic3.gov/media/2017/171017-2.aspx

--NYPD Property and Evidence Database Has No Backups
(October 17 & 18, 2017)

A non-profit group has taken the New York City Police Department (NYPD) to court to force it to disclose money seized in cash forfeitures. An attorney for the city of New York told a judge that it is not possible to pull an audit from the NYPD Property and Evidence Tracking System (PETS) because it was not created to allow of data analytics, and that an attempt to query PETS could cause the system, which is not backed up, to crash.

Read more in:
Ars Technica: Judge shocked to learn NYPD's evidence database has no backup
https://arstechnica.com/information-technology/2017/10/nypd-database-that-tracks-seized-evidence-and-cash-has-no-backup/
Courthouse News: No Forfeiture-Database Backup With Millions on the Line, NYPD Admits
https://www.courthousenews.com/no-forfeiture-database-backup-millions-line-nypd-admits/

--Patching Against Krack Exploit
(October 17, 2017)

Vendors are releasing patches for their products to prevent them from being exploited through a fundamental vulnerability in the WPA2 protocol. The exploit is known as the the Key Reinstallation Attack, or Krack. US-CERT was alerted to the vulnerability several months ago and notified vendors so they could develop fixes before the flaw was publicly disclosed. Internet of Things (IoT) devices pose particular concerns, as many do not receive automatic updates and many do not have easily accessible interfaces, which makes it difficult at best for consumers to apply updates even if they do become available.

[Editor Comments]
[Guest Editor Larry Pesce, SANS Wireless Penetration Testing course author]
KRACK affects both WPA and WPA2 in both Pre-Shared Key and Enterprise modes. While the attack is damaging to clients by delivering a MiTM attack, no "official" attack tools have been seen. The methods for delivering the KRACK attack require technical expertise, rely on specific timing, and can be subject to failure due to the operation of 802.11 as a whole. Now is the time to get our "houses in order" by patching access points (APs) and clients (especially Android) when they are available, enabling robust wireless rogue AP detection, WIPS, and leveraging secure MiTM resistant protocols such as SSL/TLS and IPSEC VPNs in addition to WiFi encryption such as continued use of WPA2.
[Murray] While WPA does hide some user traffic from opportunistic eavesdropping, its real purpose is to protect the access point, and its back-haul from unauthorized use. The user must still employ TLS or a VPN to protect themselves from rogue or compromised access points. That said, real security people publish work-arounds, not exploits.

Read more in:
ZDNet: Here's every patch for KRACK Wi-Fi vulnerability available right now
http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/
Wired: Why the Krack Wi-Fi Mess Will Take Decades to Clean Up
https://www.wired.com/story/krack-wi-fi-iot-security-broken/

--Lenovo Issues Patches for Flaws
(October 17, 2017)

Lenovo has released patches to fix several critical flaws that affect millions of the company's devices, including tablets and phones. The vulnerabilities lie in the Lenovo Service Framework, which is used to receive push notifications, and could be exploited to allow remote code execution.

[Editor Comments]
[Murray] When will vendors understand that "service frameworks" are natural targets and require security at least as good as the systems that they service?

Read more in: Threatpost: Lenovo Quietly Patches Massive Bug Impacting Its Android Tablets and Zuk, Vibe Phones
https://threatpost.com/lenovo-quietly-patches-massive-bug-impacting-its-android-tablets-and-zuk-vibe-phones/128489/
Lenovo: Lenovo Android Tablet and Lenovo VIBE, Moto, and ZUK Mobile Phone Remote Code Execution Vulnerability
https://support.lenovo.com/us/en/product_security/len-15374

--Reuters: Microsoft Vulnerability Database Breached in 2013
(October 16 & 17, 2017)

Reuters reports that in 2013, hackers broke into an internal Microsoft database that contained bug tracking information. Microsoft did not disclose details of the incident in 2013 except to issue a statement describing it as a limited intrusion; it did not mention the bug database. For the story, Reuters interviewed five unnamed former employees, who said that the flaws were likely patched within months of the intrusion.

[Editor Comments]
[Murray] There is a difference between publishing patches and patches being applied. There is a fundamental flaw in the strategy of late patching; one has published vulnerabilities only some of which will ever be patched. It places responsibility on users that should be borne by publishers.

Read more in:
Reuters: Exclusive: Microsoft responded quietly after detecting secret database hack in 2013
http://www.reuters.com/article/us-microsoft-cyber-insight/exclusive-microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idUSKBN1CM0D0

--Maritime Satellite Communication Security
(October 14 & 18, 2017)

Using the Shodan search engine, Pen Test Partners security researcher Ken Munro identified maritime SATCOM systems and found that in many cases, security was sorely lacking.

Read more in:
Bleeping Computer: To Nobody's Surprise, Ships Are Just as Easy to Hack as Anything Else
https://www.bleepingcomputer.com/news/security/to-nobodys-surprise-ships-are-just-as-easy-to-hack-as-anything-else/
Security Intelligence: Researcher Uncovers Shipping Industry Security Flaws
https://securityintelligence.com/news/researcher-uncovers-shipping-industry-security-flaws/
The Register: IT at sea makes data too easy to see: Ships are basically big floating security nightmares
https://www.theregister.co.uk/2017/10/13/it_at_sea_makes_data_too_easy_to_see/
Pen Test Partners: OSINT from ship satcoms
https://www.pentestpartners.com/security-blog/osint-from-ship-satcoms/

INTERNET STORM CENTER TECH CORNER

Hancitor Malspam Uses DDE Attack to Spread Banking Malware

https://isc.sans.edu/forums/diary/Hancitor+malspam+uses+DDE+attack/22936/

Infineon RSA Key Generation Weakness

https://crocs.fi.muni.cz/public/papers/rsa_ccs17

Chrome Improving Security

https://www.blog.google/products/chrome/cleaner-safer-web-chrome-cleanup/

Baselining Servers to Detect Outliers

https://isc.sans.edu/forums/diary/Baselining+Servers+to+Detect+Outliers/22940/

Test Script Available for KRACK Vulnerability

https://github.com/vanhoefm/krackattacks-test-ap-ft

WaterMiner Distributed With Gaming Mods

https://minerva-labs.com/post/waterminer-a-new-evasive-crypto-miner

Microsoft Releases Fall Creators Update

https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/#76CQXoUYxT81RLJi.97

Locky Ransomware Updates

https://isc.sans.edu/forums/diary/Necurs+Botnet+malspam+pushes+Locky+using+DDE+attack/22946/
https://isc.sans.edu/forums/diary/HSBCthemed+malspam+uses+ISO+attachments+to+push+Loki+Bot+malware/22942/

AuthedMine To Replace Coinhive

https://coinhive.com/blog/authedmine

Attackers Scan for SSH Keys via Webexploits

https://www.wordfence.com/blog/2017/10/ssh-key-website-scans/

Attacking Colocated Virtual Machines with Rowhammer

https://thisissecurity.stormshield.com/2017/10/19/attacking-co-hosted-vm-hacker-hammer-two-memory-modules/


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create