3 Days Left! iPad Pro w/ Smart Keyboard, $400 Off, or ASUS Chromebook w/ Online Training!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #92

November 21, 2017


****************************************************************************

SANS NewsBites               November 21, 2017                Vol. 19, Num. 092

****************************************************************************

TOP OF THE NEWS

Data Collected by US Military Exposed on Misconfigured AWS S3 Buckets

Australian Broadcasting Corporation Data Leaked Through Misconfigured AWS S3 Buckets

Apple Served with Search Warrant Over iPhone in Texas Massacre

REST OF THE WEEK'S NEWS

DMARC Adoption is Low Among Large, High-Revenue Organizations

Intel Releases Firmware Updates for Multiple Vulnerabilities

ASLR Flaw Affects Windows

Mozilla Added First Party Isolation Feature to Firefox in August

StartCom to Stop Issuing Certificates

Microsoft's Equation Editor Fix Unusual

Legislators Seek Transparency for Medical Device Software Components

New GitHub Security Alerts

Car Infotainment Systems Store Sensitive Info Unencrypted

INTERNET STORM CENTER TECH CORNER


***************************  Sponsored By Intezer  **************************


Don't Miss:  "Use Code Reuse to your Advantage: The Forgotten Component of your Incident Response Plan."  Together with Intezer Analyze and SANS Jake Williams, we will demonstrate how finding code reuse of known malware enables you to improve and accelerate incident response plans.  Register: http://www.sans.org/info/200050


*****************************************************************************

TRAINING UPDATE


-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017


-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018


-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018


-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018


-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018


-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018


-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018


-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018


-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018


-- SANS OnDemand and vLive Training | Receive a 12.9" iPad Pro, Surface Pro 4 or take $400 Off your OnDemand or vLive course when you register by November 22nd. The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcast - https://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all


*****************************************************************************

TOP OF THE NEWS

 --

Data Collected by US Military Exposed on Misconfigured AWS S3 Buckets

(November 17, 18, & 20, 2017)

An archive of social media posts scraped by the US military was left exposed on misconfigured AWS S3 buckets. The archives were being managed by a military contractor. The databases have been secured.   


[Editor Comments]

[Pescatore] This item and the following Australian item point out that government and enterprise sys admins who are managing external cloud services like AWS S3 are making the same basic admin hygiene mistakes they made for years on local data center systems. AWS and Azure have a number of features and for-fee services to help admins do a better job. Cloud based security services, usually called Cloud Access Security Brokers (CASB) these days, are also available to detect and remediate configuration errors.


[Williams] Cloud technologies can reduce TCO, but they are more difficult to secure. Cloud platforms are also in a constant state of change. A configuration that was secure last month may not be next month. Many government IT simply departments (as well as their private sector counterparts) simply can't budget quickly enough to make the necessary critical changes to configurations in this agile environment.


Read more in:

Ars Technica: Pentagon contractor leaves social media spy archive wide open on Amazon

https://arstechnica.com/information-technology/2017/11/vast-archive-from-pentagon-intel-gathering-operation-left-open-on-amazon/

The Register: Massive US military social media spying archive left wide open in AWS S3 buckets

http://www.theregister.co.uk/2017/11/17/us_military_spying_archive_exposed/

Bleeping Computer: US Military Database Holding Web-Monitoring Data Left Exposed Online

https://www.bleepingcomputer.com/news/security/us-military-database-holding-web-monitoring-data-left-exposed-online/

Threatpost: Centcom Says Massive Data Cache Found on Leaky Server is Benign

https://threatpost.com/centcom-says-massive-data-cache-found-on-leaky-server-is-benign/128944/

 

--

Australian Broadcasting Corporation Data Leaked Through Misconfigured AWS S3 Buckets

(November 17 & 20, 2017)

Information belonging to the Australian Broadcasting Corporation (ABC) has been exposed due to misconfigured Amazon Web Services S3 repositories. ABC learned of the issue on November 16. Amazon recently announced new S3 security and encryption features.


[Editor Comments]

[Neely] Amazon has changed the S3 security configuration to strongly challenge, i.e. big bold red letters confirming the action, before allowing the creation of non-secured buckets, which is great for new configurations, older configurations need to be double checked to insure they are not open.


Read more in:

SC Magazine: Misconfigured Amazon S3 server leaks Australian Broadcasting Corporation

https://www.scmagazine.com/australian-broadcast-corporation-data-leaked-from-misconfigured-aws-s3-server/article/708646/

ZDNet: Australian Broadcasting Corporation confirms S3 data leak

http://www.zdnet.com/article/australian-broadcasting-corporation-confirms-s3-data-leak/

 

 --

Apple Served with Search Warrant Over iPhone in Texas Massacre

(November 20, 2017)

The Texas Rangers law enforcement agency has served Apple Computers with a warrant demanding the company's assistance in unlocking an iPhone found at the scene of the mass shooting that took place in a Texas church earlier this month. The warrant is for both data stored locally on the device as well as any associated iCloud-stored data. Federal law enforcement officials are unlikely to make a legal case over the device.  


[Editor Comments]

[Murray] Users of Apple cloud services are on notice that it will comply with legal service.  The device is a different matter.  It remains to be seen whether or not Apple is party to or responsible for the data stored on a device that it sold.  It will set a very dangerous precedent to say that it is. Think any storage device with full-disk encryption.  


[Northcutt] This is probably going to be a long, slow evolving story. Here is the Apple letter from San Bernardino case:

https://www.apple.com/customer-letter/


[Neely] With due process, Apple can facilitate access to iCloud stored data. With current iOS Encryption and iPhones, Apple doesn't have access to the information on the device. Even suppliers of mobile device forensic tools such as Cellebrite and Elcomsoft say they can no-longer assure recovery of information from current devices.  This is less of a concern for corporate devices with an MDM which can reset the device passcode. Expect pressure on Apple for a back door or to provide a similar capability for personally owned devices.


Read more in:

CNET: Apple received search warrant over Texas church shooter's phone

https://www.cnet.com/news/apple-served-with-search-warrant-over-sutherland-springs-shooters-phone/

Washington Post: FBI not likely to seek a legal battle over locked Texas iPhone

https://www.washingtonpost.com/world/national-security/fbi-not-likely-to-seek-a-legal-battle-over-locked-texas-iphone/2017/11/20/f8495c92-ce12-11e7-9d3a-bcbe2af58c3a_story.html


**************************  SPONSORED LINKS  ********************************


1) Webcast:  "Next-Generation Antivirus (NGAV) Buyer's Guide: Successful Strategies for Choosing and Implementing NGAV" with Barbara Filkins.  Register:  http://www.sans.org/info/200055


2) Find out where your current solution ranks for security efficacy and TCO and Find out why NSS Labs recommends the Forcepoint NGFW to be on every company's short list. http://www.sans.org/info/200060


3) Took Talk Webcast:  "Business-Driven Network Security Policy Management"  Register:  http://www.sans.org/info/200065


*****************************************************************************

THE REST OF THE WEEK'S NEWS  

 --

DMARC Adoption is Low Among Large, High-Revenue Organizations

(November 20, 2017)

While the Domain-based Message Authentication, Reporting, and Conformance (DMARC) security standard provides robust phishing prevention, many major organizations have not adopted the standard. One reason for the lack of DMARC implementation is that many organizations do not know about it. In addition, proper DMARC implementation can be complicated; many organizations that have implemented DMARC have not switched it on or have not configured it correctly.     


[Editor Comments]

[Pescatore] ValiMail's DMARC adoption numbers for Fortune 500 are very similar to Agari's that I commented on in a previous NewsBites. About 1/3 have already deployed DMARC but only 1/20 have turned on blocking. Those who have moved from monitor to quarantine to DMARC reject have seen very little business impact - mostly outing small business units that were violating corporate policies by using unsafe third party marketing firms.


[Northcutt] Ummm, If you are government, or work with the government, you might want to read this document mandating its use in 2018:

https://cyber.dhs.gov/assets/report/bod-18-01.pdf


[Neely] Once DMARC is configured for reporting (p=none) the challenge is consuming the reports and identifying systems that are legitimately sending email on behalf of your domain so that you can change to block (p=reject) mode which is the desired end-state. While DMARC reports provide lots of information regarding email being sent from your domains outside the DKIM/SPF configuration, using log aggregation tools to process the compressed XML reports is key for success. This can be leveraged to create information that provides assurance to management that due diligence has been performed to prevent the rejection of legitimate email.


[Murray] Even speculation about convenience trumps security against a widely exploited fundamental vulnerability.

[Honan] The Global Cyber Alliance is a not for profit organisation promoting good security practises and DMARC is an area they have done a lot of work in. They provide lots of free resources for organisations to refer to at https://dmarc.globalcyberalliance.org/


Read more in:

Cyberscoop: Report: DMARC email security can be too hard for some large companies

https://www.cyberscoop.com/dmarc-email-security-valimail/

 

 --

Intel Releases Firmware Updates for Multiple Vulnerabilities

(November 20, 2017)

Intel has released firmware updates for 10 security flaws in its Management Engine, Server Platform Services, and Trusted Execution Engine. The vulnerabilities could be exploited to run code, conduct system surveillance, and tinker with vulnerable systems. The updates are available to computer manufacturers, which must cryptographically sign the new code.  


[Editor Comments]

[Pescatore] A little over 7 years ago, Intel acquired McAfee, and the spin was "security will be built in to CPUs." Once again, the maxim "the infrastructure cannot protect the infrastructure" was proven, and in 2016 Intel sold off the majority of McAfee to TPG. Now we see critical patches required for those CPUs that were theoretically going to be much more secure.


Read more in:

Intel: Intel Q3'17 ME 11.x, SPS 4.0, and TXE 3.0 Security Review Cumulative Update

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr

The Register: Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets

http://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/

Cyberscoop: Intel patches flaw that leaves millions of computers vulnerable to hidden attacks

https://www.cyberscoop.com/intel-me-management-engine-buffer-overflow-2017/?category_news=technology

 

 --

ASLR Flaw Affects Windows

(November 17 & 20, 2017)

A vulnerability in Windows Address Space Layout Randomization (ASLR) makes it easier to exploit memory corruption flaws when "system-wide ASLR is enabled via EMET or Windows Defender Exploit Guard." The issue affects Windows 8, Windows 8.1 and Windows 10.


[Editor Comments]

[Williams] This is more hype than reality. Unlike Linux, Windows ASLR is designed to protect only against remote attacks, not local attacks. DLLs built with modern compilers should already have the DynamicBase flag set, so they already participate in ASLR. Mandatory ASLR is useful only for those legacy DLLs that do not have DynamicBase enabled. This is NOT a vulnerability by itself. While it is a bug that neutralizes an intended defensive mechanism, it only matters if a remotely exploitable unpatched vulnerability already exists on the system AND the vulnerable program loads DLLs that do not have DynamicBase enabled. The verdict? Mostly hype.


Read more in:

Dark Reading: Researcher Finds Hole in Windows ASLR Security Defense

used to create ship loading and container stowage plans

https://www.darkreading.com/vulnerabilities---threats/researcher-finds-hole-in-windows-aslr-security-defense/d/d-id/1330466?

V3: ASLR security flaw in Windows 8 and 10 makes it easier for attackers to target important data

https://www.v3.co.uk/v3-uk/news/3021549/aslr-security-flaw-in-windows-8-and-10-makes-it-easier-for-attackers-to-target-important-data

ZDNet: Key Windows 10 defense is 'worthless' and bug dates back to Windows 8

http://www.zdnet.com/article/key-windows-10-defense-is-worthless-and-bug-dates-back-to-windows-8/

CERT: Windows 8 and later fail to properly randomize every application if system-wide mandatory ASLR is enabled via EMET or Windows Defender Exploit Guard

http://www.kb.cert.org/vuls/id/817544

 

 --

Mozilla Added First Party Isolation Feature to Firefox in August

(November 20, 2017)

Mozilla quietly added a privacy feature to Firefox back in August 2017. Firefox 55 was the first version of the browser to include First Party Isolation (FPI), which helps prevent advertisers from tracing users across the Internet. When FPI is enabled, ad trackers will be able to see only the cookie for the domain a user is currently viewing, preventing the trackers from aggregating users' Internet activity. FPI is not enabled by default in Firefox.   The feature was first introduced in the Tor Browser, where it is called Cross-Origin Identified Unlinkability.


Read more in:

Bleeping Computer: Another Tor Browser Feature Makes It Into Firefox: First-Party Isolation

https://www.bleepingcomputer.com/news/software/another-tor-browser-feature-makes-it-into-firefox-first-party-isolation/

 

 --

StartCom to Stop Issuing Certificates

(November 17 & 19, 2017)

The StartCom certificate authority will stop issuing new certificates as of January 1, 2018. The company will continue providing validation services for two years after that date, and will completely cease operations in 2020. A StartCom board member observed that the change should not have a noticeable impact as all major browsers already do not trust StartCom certificates.


Read more in:

ZDNet: StartCom to shut down, all certificates revoked in 2020

http://www.zdnet.com/article/startcom-to-shut-down-all-certificates-revoked-in-2020/

The Register: Shamed TLS/SSL cert authority StartCom to shut up shop

http://www.theregister.co.uk/2017/11/17/battered_certificate_authority_startcom_shutters_the_doors/

 

 --

Microsoft's Equation Editor Fix Unusual

(November 17 & 18, 2017)

One of the patches Microsoft released last week took an unusual approach to fixing the security issue. Rather than fixing the problem in source code and recompiling the program, Microsoft chose to fix a security issue in Equation Editor by altering the program's executable file.  


[Editor Comments]

[Williams] As a reverse engineer and exploit developer, let me say "mad respect" to the Microsoft engineers who did this. The patch was not trivial by any means.


Read more in:

Bleeping Computer: Microsoft Appears to Have Lost the Source Code of an Office Component

https://www.bleepingcomputer.com/news/microsoft/microsoft-appears-to-have-lost-the-source-code-of-an-office-component/

Ars Technica: How to fix a program without the source code? Patch the binary directly

https://arstechnica.com/gadgets/2017/11/microsoft-patches-equation-editor-flaw-without-fixing-the-source-code/

 

 --

Legislators Seek Transparency for Medical Device Software Components

(November 17, 2017)

The US House Committee on Energy and Commerce has asked the Department of Health and Human Services (HHS) to require medical device manufacturers to list the software, firmware, and hardware components the devices contain. Medical professionals "do not know, and often have no way of knowing, exactly what hardware or software exist within the technologies on which they rely to provide vital medical care." In a report on improving cyber security in the health care industry, the Health Care Industry Cybersecurity Task Force recommended having a Bill of Materials (BOM) for each piece of medical technology.


Read more in:

Cyberscoop: Lawmaker to HHS: Label software in medical devices

https://www.cyberscoop.com/lawmakers-hhs-label-software-medical-devices-corman-walden/

SC Magazine: House committee asks HHS to boost cybersecurity by requiring component list for medical devices

https://www.scmagazine.com/house-committee-asks-hhs-to-boost-cybersecurity-by-requiring-component-list-for-medical-devices/article/708139/

House Energy and Commerce Committee: Letter to HHS (PDF)

https://energycommerce.house.gov/wp-content/uploads/2017/11/20171116HHS.pdf

 

--

New GitHub Security Alerts

(November 17 & 20, 2017)

A new security alert service, recently added to GitHub's version control platform, will notify users when a flaw is found in one of their object dependencies and will suggest known fixes. The feature currently supports Javascript and Ruby, and is scheduled to support Python in 2018.   


[Editor Comments]

[Pescatore] This still requires someone to find the vulnerabilities in the base objects, but is nice to see. Companies like Sonatype and Synopsis/BlackDuck have full "open source software supply chain security" offerings.


Read more in:

GitHub: Introducing security alerts on GitHub

https://github.com/blog/2470-introducing-security-alerts-on-github

SC Magazine: GitHub introduces new security alert feature

https://www.scmagazine.com/github-introduces-new-security-alert-feature/article/708466/

ZDNet: GitHub to devs: Now you'll get security alerts on flaws in popular software libraries

http://www.zdnet.com/article/github-to-devs-now-youll-get-security-alerts-on-flaws-in-popular-software-libraries/

 

--

Car Infotainment Systems Store Sensitive Info Unencrypted

(November 16, 2017)

A security researcher found that his car's infotainment system contained unencrypted information from his mobile phone. The data include call histories, text messages, emails, and contact lists.  


Read more in:

Motherboard: Researchers Hack Car Infotainment System and Find Sensitive User Data Inside

https://motherboard.vice.com/en_us/article/3kvw8y/researchers-hack-car-infotainment-system-and-find-sensitive-user-data-inside

 

INTERNET STORM CENTER TECH CORNER

Bitcoin Pickpockets Scanning For Wallets

https://isc.sans.edu/forums/diary/BTC+Pickpockets/23052/


Resume-themed Malspam Pushing Smoke Loader

https://isc.sans.edu/forums/diary/Resumethemed+malspam+pushing+Smoke+Loader/23054/


F5-BigIP TLS Vulnerability

https://support.f5.com/csp/article/K21905460


Microsoft Updates Patches/May Have Lost Sourcecode

https://0patch.blogspot.com/2017/11/did-microsoft-just-manually-patch-their.html

http://borncity.com/win/2017/11/17/microsoft-confirms-epson-dot-matrix-printer-issue-after-november-2017-patchday-here-are-fixes/


StartCom TLS Certificate Authority Shutting Down

http://www.zdnet.com/article/startcom-to-shut-down-all-certificates-revoked-in-2020/

 

Windows 8 And Later Fail To Apply ASLR Correctly

https://www.kb.cert.org/vuls/id/817544

      

Intel Patches Several Vulnerabilities in its Management Engine

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr


Sandsifter CPU Fuzzer

https://github.com/xoreaxeaxeax/sandsifter/


Android MediaProjection API Allows For Screen Capture/Audio Recording Without User Consent (PDF)

https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-android-MediaProjection-tapjacking-advisory-2017-11-13.pdf


BusyBox Autocompletion Vulnerability

https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/


******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create