Learn real-world cyber security skills from active industry experts in Anaheim. Save $150 thru 12/18.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #94

December 1, 2017


SANS NewsBites               December 1, 2017                Vol. 19, Num. 094



AWS Bucket Misconfiguration Exposes Classified NSA Data

NATO Members Develop Cyber Warfare Rules

Federal Cybersecurity Dashboard Adoption


Seleznev Sentenced for New Charges

Fixes Available for Cisco WebEx Flaws

Google to Start Process of Blocking Third-Party Software Code Injection in Chrome

Website Using "Pop-Unders" to Launch Hidden, Persistent Cryptocurrency Miners

UK Suit Alleges Google Circumvented Privacy Protections on Users' iPhones

Apple Releases Fix for macOS Root Vulnerability

Baratov Reaches Plea Deal in Yahoo Breach Case

PowerDNS Releases Patches for Authoritative Server and Recursor


***************************  Sponsored By AlgoSec  **************************

AlgoSec, the leader in Security Policy Management recently examined the state of security across hybrid environments. The survey revealed that while many organizations are embracing public cloud platforms as part of their enterprise infrastructure, they also have serious concerns when managing security across hybrid environments, both during and after cloud migrations.  Read More: http://www.sans.org/info/200270



-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018

-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018

-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018

-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Get a 10.5" iPad Pro with Smart Keyboard, or an ASUS Chromebook Flip, or take $400 Off OnDemand or vLive Training when you register by December 13. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




AWS Bucket Misconfiguration Exposes Classified NSA Data

(November 28 & 30, 2017)

Yet another misconfigured Amazon Web Services (AWS) bucket has been found to have been leaking classified and sensitive data. This bucket contains information that belongs to the US Army's Intelligence and Security Command, which is also a division of the National Security Agency (NSA). The 100 gigabytes of compromised data include details about an Army intelligence project known as Red Disk. The leak was detected in September.    

[Editor Comments]

[Pescatore] Short term: all AWS accounts come with 90-day free use (up to 250 agents) of Amazon's Inspector vulnerability assessment tool. Longer term: all enterprise-grade vulnerability assessment products support being extended out to the major cloud services. The usual problem is that the enterprise *processes* haven't been extended.

[Williams] With yet another classified data leak there needs to be some accountability for this leak. Some of our adversaries almost certainly found this unsecured classified information. The data on the drive image, if studied by adversaries is extremely damaging. Some have criticized Whittaker for writing about this, but without his reporting the government would have buried the fact of the leak. While national security is obviously a concern in any such situation, reporting in this case has started a valuable conversation about the handling of classified data, particularly by intelligence community contractors.

[Paller] Amazon does not take responsibility for security of user data except in services they provide. That's particularly true of configuration. Without substantial (skilled) effort, often using tools AWS provides, users are about as safe on AWS as they are putting their most sensitive data on a computer they bought at Best Buy and connected to the Internet.

Read more in:

FCW: Security firm reveals another NSA leak


Cyberscoop: Top secret Army, NSA data found on public internet due to misconfigured AWS server


Threatpost: Leaky AWS Storage Bucket Spills Military Secrets, Again


GovTech: Top-Secret Cache of Army Intelligence Data Left Exposed on Internet


ZDNet: NSA leak exposes Red Disk, the Army's failed intelligence system




NATO Members Develop Cyber Warfare Rules

(November 30, 2017)

Seven NATO member countries - the US, the UK, Germany, Norway, Denmark, the Netherlands, and Spain - are developing a slate of cyber warfare principles to help NATO military forces decide when to deploy cyber weapons. The new doctrine could mark a NATO shift away from a purely defensive cybersecurity posture.

[Editor Comments]

[Pescatore] NATO countries have been using offensive cyber weapons for a long time now. The real issue is reaching a consensus on defining what conditions justify their use. For example, in the pre-Internet days broadcast propaganda stations were used by many countries to send "fake news" across borders to enemy countries, yet that wasn't considered warfare. Similarly, intelligence agencies collecting intelligence in nefarious ways wasn't dealt with as an act of war. Those same activities using the Internet don't necessarily add up to "cyber war," and many forms of active cyber response are very likely to cause unintended consequences.

Read more in:

Reuters: NATO mulls 'offensive defense' with cyber warfare rules


Silicon UK: NATO Plots Cyber Warfare Rules




Federal Cybersecurity Dashboard Adoption

(November 28, 2017)

A US Department of Homeland Security official says that the major government agencies are expected to be connected to the federal cybersecurity dashboard by the end of February 2018. The dashboard will allow DHS officials to keep tabs on which software is running on networks across the government. Just two agencies are currently connected. Once the 24 major agencies are connected, DHS will begin connecting smaller agencies. The federal cybersecurity dashboard is part of DHS's Continuous Diagnostics and Mitigation program.

[Editor Comments]

[Northcutt] Ignore the pundits who criticize saying they should measure this or that. The dashboard means certain metrics will be monitored and compared against peer agencies. When you are the only one with a failing score, there is no place to hide.

Read more in:

Nextgov: All Major Agencies Will Be on Federal Cybersecurity Dashboard by February


Read more in:

Nextgov: All Major Agencies Will Be on Federal Cybersecurity Dashboard by February


**************************  SPONSORED LINKS  ********************************

1) Join this webinar with Splunk to learn how to avoid the legacy SIEM death trap and keep your organization alive. http://www.sans.org/info/200275

2) Don't Miss: "Next-Generation Antivirus (NGAV) Buyer's Guide: Successful Strategies for Choosing and Implementing NGAV." Register: http://www.sans.org/info/200280

3) "2017 Trends and Strategies for Protecting Endpoints in Healthcare" Register: http://www.sans.org/info/200285




Seleznev Sentenced for New Charges

(November 30 & December 1, 2017)

Roman Valeryevich Seleznev has been sentenced to 14 years in prison for racketeering and conspiracy to commit bank fraud. Seleznev, who masterminded an organized online crime ring, was sentenced to 27 years in prison in April for other fraud charges. He will serve his sentences concurrently.   

Read more in:

The Register: Stop us if you've heard this one: Russian hacker thrown in US slammer for $59m bank fraud


DoJ: Russian Cyber-Criminal Sentenced to 14 Years in Prison for Role in Organized Cybercrime Ring Responsible for $50 Million in Online Identity Theft and $9 Million Bank Fraud Conspiracy




Fixes Available for Cisco WebEx Flaws

(November 30, 2017)

Cisco has released patches to address six vulnerabilities in Cisco WebEx Network Recording Player for Advanced Recording Format and WebEx Recording Format files. Users are encouraged to update the affected products; there are no workarounds available.

Read more in:

Cisco: Multiple Vulnerabilities in Cisco WebEx Recording Format and Advanced Recording Format Players


Threatpost: Cisco Patches Critical Playback Bugs in WebEx Players


SC Magazine: Cisco patches multiple vulnerabilities in WebEx platforms




Google to Start Process of Blocking Third-Party Software Code Injection in Chrome

(November 30, 2017)

In spring 2018, Google will take the first step in the process of blocking third-party software from injecting code into the browser. Chrome 66, scheduled for release in April 2018, will notify users after a browser crash that third-party code is being injected and will offer suggestions for updating or removing the offending software. In Chrome 68, scheduled for release in July 2018, third-party code injection will be blocked unless the blocking prevents Chrome from starting. In Chrome 72, scheduled for release in January 2019, Chrome will always block third-party code injection.

Read more in:

Bleeping Computer: Google Will Block Third-Party Software From Injecting Code Into Chrome


The Register: Google Chrome vows to carpet bomb meddling Windows antivirus tools




Website Using "Pop-Unders" to Launch Hidden, Persistent Cryptocurrency Miners

(November 29 & 30, 2017)

At least one website has been detected using pop-unders, in this case windows that pop up behind the Windows taskbar, to harness computer resources to mine for cryptocurrency. The windows function even when the main browser window is closed. So far, the technique has been spotted on just one website and appears to work only on Chrome browsers.

[Editor Comments]

[Ullrich] As the value of crypto currencies increases, we are seeing more and more fraud related to them. For a quick summary of current attacks, see https://isc.sans.edu/forums/diary/9+Fast+and+Easy+Ways+To+Lose+Your+Crypto+Coins/23071/

Read more in:

Malwarebytes: Persistent drive-by cryptomining coming to a browser near you


Bleeping Computer: Cryptojacking Script Continues to Operate After Users Close Their Browser


SC Magazine: Cryptominer uses hidden browser windows to keep on mining




UK Suit Alleges Google Circumvented Privacy Protections on Users' iPhones

(November 29, 2017)

Google is being taken to court in the UK over allegations that it placed cookies on iPhone owners' devices even when the devices were set to block cookies. Google then allegedly used the cookies to deliver targeted advertisements.

Read more in:

BBC: Google faces mass legal action in UK over data snooping




Apple Releases Fix for macOS Root Vulnerability

(November 28 & 29, 2017)

Apple has released an emergency security update for macOS to address a flaw that allowed anyone to log in as a system administrator on machines running the High Sierra version of macOS. The patch was scheduled to be automatically applied to machines running High Sierra 10.13.1 on Wednesday, November 29. Apple has said that it plans to audit its development processes to prevent a recurrence.  

[Editor Comments]

[Ullrich] The patch will disable the root account again, which is a good thing, but if you need the root account enabled, then make sure to re-enable it after applying the patch. There may also be an issue when trying to connect to file shares after applying the fix. Apple has instructions on fixing any file share related issues. The problem here wasn't really so much that the disabled root account had no password, but a bug in some parts of the operating system that did not verify that the account was disabled.

Read more in:

Wired: Anyone Can Hack macOS High Sierra Just By Typing "Root"


The Register: As Apple fixes macOS root password hole, here's what went wrong


ZDNet: Apple fixes macOS password flaw


Ars Technica: New security update fixes macOS root bug


KrebsOnSecurity: MacOS High Sierra Users: Change Root Password Now




Baratov Reaches Plea Deal in Yahoo Breach Case

(November 28 & 29, 2017)

Karim Baratov has reached a plea deal with US prosecutors regarding his involvement in breaking into webmail accounts as part of a larger breach of Yahoo accounts. He was extradited to the US earlier this year. On Tuesday, November 28, Baratov pleaded guilty to one count of conspiracy to commit computer fraud and eight counts of aggravated identity theft.

Read more in:

The Register: Canadian! fella! admits! hacking! Gmail! inboxes! amid! Yahoo! megahack!


Ars Technica: Hacker pleads guilty to huge Yahoo hack, admits helping Russia's FSB


Cyberscoop: Guilty plea for Canadian charged in 2014 Yahoo hacking case


Fifth Domain: 'Hacker-for-hire' pleads guilty to Yahoo breach




PowerDNS Releases Patches for Authoritative Server and Recursor

(November 28, 2017)

PowerDNS has released patches to address five vulnerabilities in its Authoritative Server and Recursor products. The issues include a missing check on API operations, insufficient validation of DNSSEC signatures, cross-site scripting in the web interface, configuration file injection in the API, and a memory leak in DNSSEC parsing.

Read more in:

PowerDNS: PowerDNS Authoritative Server 4.0.5 and Recursor 4.0.7 Released


HelpNet Security: PowerDNS patches five security holes in widely used nameserver software


The Register: Open source nameserver used by millions needs patching




Passwordless Root Account Allows for Trivial Privilege Escalation on MacOS High Sierra



Apple Releases Security Update 2017-001 to Fix Passwordless Root Bug


Coinhive Miner Now As Pop-Under


Fileless Malicious PowerShell Sample


Defeating Facial Recognition


Bitcoin Gold Wallet App Compromise


Project Exodus Identified Trackers in Android Apps



Insecure Android Crypto Currency Wallets


.dev TLD Now Requires HTTPS in Chrome



More Malspam Pushing Emotet Malware


Google Chrome To Block Some Third Party Software Mid-2018


European Union Funds VLC Bug Bounty


STI Student Scott Perry: Virtual System Forensics




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create