Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #89

November 10, 2017


SANS NewsBites               November 10, 2017                Vol. 19, Num. 089



Miller and Valasek: IoT Security Problems Are Here to Stay

Equifax Profit Falls As Hacking Costs Take Toll

Amazon S3 Improves Security and Encryption

FBI Cannot Break Encryption on Killer's iPhone


Microsoft Issues Advisory on Mitigating Dynamic Data Exchange Attacks

Governors Want Cohesive Federal Cyber Regulations

Upcoming Versions of Chrome Will Prevent Sketchy Redirects

November Android Security Bulletin Includes Fixes for Krack Flaw

Logitech Will Brick Harmony Link Hubs Next Year

Vulnerability in Brother Printers

Voting Security Bill Introduced in US House

Netflix Phishing Scam


***************************  Sponsored By SANS ******************************

Join the SANS Institute in Boston at the SOC Briefing for the Cybersecurity Community where vendors will present sessions demonstrating their tools and capabilities to support threat hunting, or incorporate the results of threat hunting. This half- day event is free to the Cybersecurity Community. Networking lunch following. Not in Boston? Attend via simulcast. More info at: http://www.sans.org/info/199595



-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017

-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017

-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017

-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS OnDemand and vLive Training | Receive a 12.9" iPad Pro, Surface Pro 4 or take $400 Off your OnDemand or vLive course when you register by November 22nd. The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




Miller and Valasek: IoT Security Problems Are Here to Stay

(November 8, 2017)

In a keynote speech at the Black Duck Software's Flight 2017 conference, Charlie Miller and Chris Valasek, the researchers who several years ago made headlines when they remotely manipulated a Jeep's digital systems, spoke about the Internet of Things (IoT) security. Miller and Valasek said that there will always be IoT security issues and that industry needs to focus its attention on IoT elements that pose potential safety and health risks, like automobiles and medical devices.

[Editor Comments]

[Murray] There are two security issues with connected appliances.  The one that these hackers focus on is the interference with the intended use of the device.  The other is the exploitation of the device in brute force attacks.  The hackers would have us focus on the former, at the expense of the latter.  We will do that at our peril.

Read more in:

Threatpost: IoT is Insecure, Get Over It! Say Researchers




Equifax Profit Falls As Hacking Costs Take Toll

(November 9,2017)

Customers are withholding business and profits are falling at Equifax in the wake of the massive breach.



Amazon S3 Improves Security and Encryption

(November 6, 2017)

Amazon has added security and encryption features to its S3 cloud storage service. The five new features are default encryption, permission checks, cross-region replication ACL overwrite, cross-region replication with KMS, and a detailed inventory report.

[Editor Comments]

[Ullrich] Great and overdue move from Amazon. There were a number of high profile breaches that used exposed data from Amazon S3. According to some studies, about 7% of Amazon S3 buckets are left exposed.

[Pescatore]  More protection of data at rest is much, much more valuable than more SSL/protection of data in motion, hugely effective in stopping real world attacks, not just government level monitoring. But encryption and privilege management done wrong can be like holding the wrong end of a fire extinguisher to put out a fire: high probability of self-inflicted wounds without putting out the fire. Amazon embedding these kinds of features into storage as a service can be a great advance, if your administrators have the skills, processes and tools to use the features correctly. Amazon offers fee-based services (Macie) to help, Cloud Access Security Broker services are another option - but don't neglect those admin skills.

Read more in:

Amazon Blog: New Amazon S3 Encryption & Security Features




FBI Cannot Break Encryption on Killer's iPhone

(November 8, 2017)

The FBI has so far been unable to get past the encryption on an iPhone belonging to the man who shot and killed 26 people in Texas on Sunday, November 5. Apple says it offered to help and "would expedite any legal process [the FBI] sends [them]." If Apple and the FBI had been in contact within 48 hours of the attack, it is possible they could have used TouchID to unlock the iPhone; once 48 hours has passed since the iPhone was last accessed, a passcode would be required. (Please note the WSJ story is behind a paywall.)

[Editor Comments]

[Neely] As the security and encryption strength of mobile devices has increased, the viability of brute force access to them is approaching zero, so it becomes prudent to attempt biometric access more rapidly than traditional forensics techniques allow. That avenue is also becoming more difficult as device manufacturers are reducing the opportunity to utilize biometric authentication; while iOS permits biometric authentication for 48 hours, Samsung's new Note 8 disables it after 24 hours and iOS 11 allows a user to disable biometrics with five rapid presses on the power button rendering this avenue of access unavailable.

[Honan] The story should not be about the FBI breaking the encryption on the iPhone, but rather why did the FBI miss the 48 hour deadline?  Encryption is working as it is designed and has saved many people's sensitive information from being accessed by criminals.

[Northcutt] TouchID using the shooter's finger was possible if the phone was not turned off. I'm a big fan of the FBI, impressed with the cybersecurity capabilities they have developed; something along the chain of custody/forensic analysis went wrong. Maybe we can buy another exploit like the San Bernardino shooting iPhone case:



Read more in:

Ars Technica: FBI can't break the encryption on Texas shooter's smartphone


CNET: Apple says it offered to help FBI with Texas shooter's phone


WSJ: Investigators in Texas Attack Took Over 48 Hours to Contact Apple About Shooter's iPhone


Threatpost: Texas Shooter's Phone Encrypted


WPost: Texas gunman's iPhone could reignite FBI-Apple feud over encryption


Fifth Domain: FBI again finds itself unable to unlock a gunman's cellphone


***************************  SPONSORED LINKS  *********************************

1) In case you missed it: "Managed Detection and Response and Business context-- where do they meet, how do they co-exist to help organizations understand true risk?" http://www.sans.org/info/199600

2) Don't Miss: "Making IoT Relevant" with Jessica Hyde, Director of Forensics, Magnet Forensics. http://www.sans.org/info/199605

3) "Preventing Persistent Attacks With Linux Micro Virtualization" with John Pescatore. Register: http://www.sans.org/info/199610




Microsoft Issues Advisory on Mitigating Dynamic Data Exchange Attacks

(November 8 & 9, 2017)

Microsoft has issued a security advisory regarding the use of its Dynamic Data Exchange (DDE) as a vector of attack. The advisory provides recommendations for mitigating DDE attack scenarios, which consist of manually creating new Office registry settings.    

[Editor Comments]

[Ullrich] DDE has become a very popular technique to trick users to run malicious code. Microsoft has ignored the issue somewhat, stating that there are already multiple warnings that should tell the user what happens. This guidance from Microsoft is overdue and very much welcome. ASR (Attack Surface Reduction) is probably the most effective and least disruptive way to block these exploits, but it is only available to users who run the very latest version of Windows 10 which was released only about a month ago.


[Northcutt] I have been making registry changes since XP, and the Technet article below gives me a headache. Can you imagine your mother, or neighbor, trying to figure out which version of Office they have to make the correct registry update? Insane. Microsoft needs to do a much better job with this one.

Read more in:

Threatpost: Microsoft Provides Guidance on Mitigating DDE Attacks


SC Magazine: Microsoft issues warning on Dynamic Data Exchange vulnerability


Microsoft: Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields




Governors Want Cohesive Federal Cyber Regulations

(November 8, 2017)

The US National Governors Association (NGA) and the National Association of State Chief Information Officers (NASCIO) have asked the Office of Management and Budget's (OMB's) Office of Regulator Affairs to standardize federal audit processes and make cyber security requirements consistent across federal agencies. NGA and NASCIO say that complying with the various requirements unnecessarily consumes states' resources.

Read more in:

GCN: Governors, state CIOs push for streamlined federal cyber regulations




Upcoming Versions of Chrome Will Prevent Sketchy Redirects

(November 8 & 9, 2017)

With the release of Chrome 64 in January 2018, Google plans to introduce stronger anti-malvertising measures. The new version of Chrome will block directs from third-party iframes unless the user was interacting directly with it. In Chrome 65, scheduled to be released in March 2018, sites will be prevented from opening clicked links in new tabs while redirecting the main window to another site.   

Read more in:

Cyberscoop: Google Chrome introduces new security measures against malvertising


Wired: Chrome Will Stop Sketchy Sites from Bouncing You to Ads


ZDNet: Chrome going after shady site redirect tactics


CNET: Chrome will whack website bait-and-switch tactics




November Android Security Bulletin Includes Fixes for Krack Flaw

(November 8, 2017)

Google's November Android Security Bulletin includes fixes for the Krack vulnerability. The flaw, which stands for key-reinstallation attacks, can be exploited to read encrypted traffic.

[Editor Comments]

[Neely] While Krack needs close proximity to exploit, application of patches for Krack is a good idea given today's reliance on Wi-Fi networks. This patch set has fixes for Android Open Source Project (AOSP) version 5.0.2-8.0. Availability of updates is a function of your mobile device hardware manufacturer support for these updates and the time for your mobile operator to make them available for users.  

Read more in:

Threatpost: Google Patches Krack Vulnerability in Android


Android: Android Security Bulletin-November 2017




Logitech Will Brick Harmony Link Hubs Next Year

(November 8 & 9, 2017)

Logitech has begun notifying owners of its Harmony Link universal hub that the company intends to brick the devices in March 2018. Logitech made the decision to push a firmware update that will render the devices unusable because of "an encryption certification that expires in the spring of 2018, which may open the product up to potential security vulnerabilities." Customers are not happy with the decision. While Logitech initially offered to replace the devices if they were still under warranty, but has now extended that offer to all customers with Harmony Link hubs.

[Editor Comments]

[Ullrich] This should be no problem. Nobody ever updates the firmware on these devices. Logitech's offer to replace the devices is appropriate. But as much of a problem are devices that are just abandoned by their manufacturer while they still have several years of useful life left.

[Pescatore] There are a lot of angles to this story, lots of lessons manufacturers should learn. It is hard to tell whether (a) Logitech made a bad design decision in choosing a hard coded certificate expiration that is shorter than the product life cycle, or (b) they initially chose to use the certificate expiration as an excuse to drive sales for the newer product. The reaction shows what a bad idea (b) is. Microsoft learned years ago with Windows that even if they would like consumers to update to the newest Windows OS every 5 years or so, they had to make sure older versions should stay secure for at least 10 years - trying to force your customers to upgrade by pointing out your existing product will soon stink is not a good idea.

Read more in:

Ars Technica: After online outrage, Logitech will now replace Harmony Link devices for free


Bleeping Computer: Logitech Will Intentionally Brick All Harmony Link Devices Next Year


Engadget: Logitech will brick all Harmony Link devices in March


Ars Technica: Logitech to shut down "service and support" for Harmony Link devices in 2018 [Update]




Vulnerability in Brother Printers

(November 7 & 8, 2017)

A flaw in printers manufactured by Brother could be exploited to create denial-of-service conditions on the devices. The issue affects all Brother printers with the Debut embedded http server. The flaw can be exploited by sending a malformed HTTP POST request.   

Read more in:

The Register: Oh Brother: Hackers can crash your unpatched printers - researchers


Threatpost: Brother Printers Susceptible to Remote Denial of Service Attacks


Trustwave: Remote Unauthenticated DoS in Debut embedded httpd server used by Brother printers




Voting Security Bill Introduced in US House

(November 7, 2017)

A bill introduced in the US House of Representatives would require that states use voting systems that have paper backups and that close elections would be subject to audits. The Safeguarding Election Infrastructure Act bears similarities to the Securing America's Voting Equipment Act, which was recently introduced in the Senate. Both bills aim to improve cyber security information sharing between the federal government and state election officials, and both ask that the Department of Homeland Security (DHS) streamline security clearances for state election officials so that they can receive classified information.

Read more in:

The Hill: Dem rep's bill would require paper voting, recounts in close elections




Netflix Phishing Scam

(November 7, 2017)

Netflix customers are again being targeted a phishing attack. A similar scheme targeted Netflix customers earlier this year. The phony Netflix emails use customers' names and include a message that claims that they "are unable to validate [customers'] billing information" and asks that the customers update their details to maintain uninterrupted service.

Read more in:

SC Magazine: Double plot twist: Another phony Netflix email turns out to be phishing scam


Wired: The Devious Netflix Phish That Just Won't Die




Interesting RTF Maldoc VBA Dropper


Multiple Linux USB Flaws Made Public


Ethereum Multi Signature Wallet Bug Causes Loss of $280 Million



Mantistek Gaming Keyboard Cloud Driver Exfiltrates Keystroke Data


Amazon Is Introducing Additional Security Features for S3


Logitech Will Discontinue Harmony Link Device and Brick it via Firmware Update in March 2018


Twilio Credentials Found in Mobile Apps (requires registration)


Drive By Crypto Currency Mining Keeps Increasing (PDF)



Intel's Management Engine Firmware Decoded



Google Android November Patches



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create