5 Days Left to get a GIAC Cert Attempt Included with OnDemand or vLive Training

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #13

February 16, 2018

****************************************************************************

SANS NewsBites               February 16, 2018                Vol. 20, Num. 013

****************************************************************************

TOP OF THE NEWS

Hack the Air Force 2.0 Turns Up 106 Vulnerabilities

So Tell Us How You Think That Good-Guys-Only Encryption Backdoor is Going to Work

UK, US, Australia Point to Kremlin as Source for NotPetya

NIST Issues Draft Report on IoT Security Standards

REST OF THE WEEK'S NEWS

Dell Patches VMAX Management Interface Flaws

Two Sentenced in Massive Payment Card Data Theft Case

NY Finance Cybersecurity Law Deadline

DHS Supply Chain Security Initiative

Olympic Destroyer Malware Update

Satori Botnet

Patch Tuesday for Microsoft and Adobe

INTERNET STORM CENTER TECH CORNER

 

***************************  Sponsored By Cylance  **************************


Get the free Cylance ebookIntroduction to Artificial Intelligence for Security Professionals.  Learn about AI and machine learning techniques and methods in practical situations that have proven most successful in predicting and preventing cyberattacks. http://www.sans.org/info/202030

 

*****************************************************************************

TRAINING UPDATE


-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018


-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018            


-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018


-- SANS Northern VA SpringTysons 2018 | March 17-24 | https://www.sans.org/event/northern-va-spring-tysons-2018


-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018


-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018


-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018


-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018


-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018


-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018


-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off your OnDemand or vLive training course by February 21. https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all


*****************************************************************************

TOP OF THE NEWS

 --

Hack the Air Force 2.0 Turns Up 106 Vulnerabilities

(February 15, 2018)

Participants in the US Air Force's (USAF's) second bug bounty event discovered more than 100 security issues, and the USAF paid out just over $100,000 USD in bounties. Hack the Air Force 2.0 took place from December 9, 2017-January 1, 2018. The competition focused on about 300 public-facing USAF websites.


[Editor Comments]

[Pescatore] The best news is that the vulnerabilities count was down by almost 50% from the previous Hack the Air Force. I'd like to see the next Hack the Military effort focus on pre-production code - preventing operational vulnerabilities, not just finding them quicker or less expensively.


[Neely] A successful bug bounty program includes not only fixing the discovered vulnerabilities, but also implementing processes to create and test secure applications before they reach the public-facing websites. The USAF is demonstrating the needed maturity for a successful program, hopefully the rest of the Pentagon will follow suit.


Read more in:

The Hill: Ethical hackers discover 100 vulnerabilities in U.S. Air Force systems

http://thehill.com/policy/cybersecurity/374038-ethical-hackers-discover-100-vulnerabilities-in-us-air-force-systems

Cyberscoop: U.S. Air Force pays out $103,883 to hackers in bug bounties

https://www.cyberscoop.com/u-s-air-force-pays-out-103883-in-bug-bounties/

Nextgov: International Hackers Find 106 Bugs in U.S. Air Force Websites

http://www.nextgov.com/cybersecurity/2018/02/international-hackers-find-106-bugs-us-air-force-websites/146019/

 

 --

So Tell Us How You Think That Good-Guys-Only Encryption Backdoor is Going to Work

(February 14, 2018)

At a February 13 Senate Intelligence Committee hearing, US Senator Ron Wyden (D-Oregon) once again took FBI Director Christopher Wray to task over exactly what he expects from technology companies regarding access to encrypted communications. Following the hearing, Wyden released a letter he received from four cryptology experts - Martin Hellman, Steven Bellovin, Paul Kocher, and Bruce Schneier - which reads, in part, "Just because a non-technical person believes that such a system can be developed does not make it so." The letter, written to Wyden, applauds his efforts to press the FBI for specifics about its expectations around encryption.


[Editor Comments]

[Pescatore - OK, this is an interesting debate, but for all you readers: Are you routinely encrypting stored data? Since that is one of the biggest impediments to both breaches and ransomware attacks, why aren't you? The biggest impediment to silly legislation mandating encryption back doors is huge increases in business encrypting stored data - not just feeling good about turning SSL on!!


[Neely] This lesson was learned with the clipper chip. Even with such a back door in place, those that wish to keep secrets will use additional measures without that back door. Having key escrow and device management practices in place is the best way to manage encryption and allow for authorized parties to decrypt information within your enterprise.


 [Williams] The only way that encryption backdoors can work is if there is a secret backdoor key that must be protected. But as we've seen with the Shadow Brokers, Vault 7, and other classified data leaks, the US government is horrible at keeping secrets. The leak of the iOS bootloader code identified earlier this month shows that commercial organizations are no better at keeping such secrets.


[Honan] I applaud this move and the challenge within the letter for the experts that law enforcement say they have consulted with to step forward and present their proposed solution to this issue so it can be properly peer reviewed.  Our online security and safety is too important to rely on hearsay


Read more in:

The Register: Crypto-gurus: Which idiots told the FBI that Feds-only backdoors in encryption are possible?

http://www.theregister.co.uk/2018/02/14/cryptography_experts_fbi/

FCW: Wyden grills FBI chief on encryption

https://fcw.com/articles/2018/02/14/wyden-wray-encryption.aspx?admgarea=TC_Security

Regmedia: Letter from Hellman, Bellovin, Kocher, and Schneier

https://regmedia.co.uk/2018/02/14/encryption-experts-wyden.pdf

 

 --

UK, US, Australia Point to Kremlin as Source for NotPetya

(February 15, 2018)

Officials in the UK, Australia, and the US have issued statements attributing the NotPetya cyberattacks to Russia.  


[Editor Comments]

[Pescatore] This seemed pretty likely from the start, since Ukrainian accounting software was the prime distribution mechanism. But, FedEx and Merck business units both reported $300M direct costsdue the failure to patch, not due to the attacks coming from Russia, China, the US or Watopia.




Read more in:

The Register: UK names and shames Russia as source of NotPetya

http://www.theregister.co.uk/2018/02/15/uk_names_russian_military_as_source_of_notpetya/

ZDNet: Australia also points finger at Russia for NotPetya

http://www.zdnet.com/article/australia-also-points-finger-at-russia-for-notpetya/

Ars Technica: In terse statement, White House blames Russia for NotPetya worm

https://arstechnica.com/tech-policy/2018/02/white-house-uk-blame-russian-military-for-notpetya-wiper-worm/

Cyberscoop: U.S. and U.K. blame Russia for infamous 'NotPetya' cyberattacks

https://www.cyberscoop.com/uk-government-blames-russian-military-infamous-notpetya-cyberattacks/?category_news=technology

 

 --

NIST Issues Draft Report on IoT Security Standards

(February 15, 2018)

The US National Institute of Standards and Technology (NIST) has released a draft report, "Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT)," that is designed to help "policymakers, managers, and standards participants as they seek timely development of and use of such standards in IoT components, systems, and services."


[Editor Comments]

[Neely] The report is a comprehensive analysis of types of IoT devices, security concerns, and includes a mapping of existing standards, and gaps, to types of IoT applications and can be used to make a roadmap towards more secure IoT devices.  As the standards evolve and gaps close, procurement contracts can include references to them, which will both aid procurement of secure devices, both in the government and in the private sector, and drive producers of IoT devices to raise their security bar.  The question is: is the market driver big enough to effect such a change?

 

Read more in:

GCN: NIST maps out IoT security standards

https://gcn.com/articles/2018/02/15/nist-iot-standards.aspx?admgarea=TC_SecCybersSec

CSRC NIST: Interagency Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT) (PDF)

https://csrc.nist.gov/CSRC/media/Publications/nistir/8200/draft/documents/nistir8200-draft.pdf


**************************  SPONSORED LINKS  ********************************


1) Join the security experts at Carbon Black and John Pescatore to discuss the PeoplesBank case study; the benefits of cloud-based security platforms and how they apply to your specific needs. http://www.sans.org/info/202035


2) Rapid7 covers a few ways to examine, analyze, review and improve organizational and product-oriented security programs using data and experience from their consulting teams. Register: http://www.sans.org/info/202040


3) Don't Miss: "Why Insider Actions Matter: SANS Review of LogRhythm CloudAI for User and Entity Behavior Analytics" with Dave Shackleford. http://www.sans.org/info/202045


*****************************************************************************

THE REST OF THE WEEK'S NEWS     

 --

Dell Patches VMAX Management Interface Flaws

(February 14 & 15, 2018)

Dell has released updates to address two critical flaws in its VMAX Virtual Appliance (vApp) Manager. One of the vulnerabilities could be exploited to remotely gain unauthorized access to systems with a hard-coded default account password. The second flaw could be exploited to upload arbitrary files to web servers.  


[Editor Comments]

[Neely] Note that the updates do not remove the default account, but instead change the services that use it, so the account remains in the user database, which means you could have the credentials to exploit the second flaw. A fresh install is needed to no longer have the account.


 [Honan] It is frustrating that in 2018 we are still reading about companies who rely on hard coded credentials in their applications.


Read more in:

The Register: Dell EMC squashes pair of VMAX virtual appliance bugs

http://www.theregister.co.uk/2018/02/15/sell_emc_patches_vmax_virtual_appliance_vulnerabilities/

SC Magazine: Dell EMC issues patches for two remote access vulnerabilities

https://www.scmagazine.com/dell-emc-issues-patches-for-two-remote-access-vulnerabilities/article/744642/

Threatpost: Dell EMC Patches Critical Flaws in VMAX Enterprise Storage Systems

https://threatpost.com/dell-emc-patches-critical-flaws-in-vmax-enterprise-storage-systems/129952/

Seclists: DSA-2018-024: Dell EMC VMAX Virtual Appliance (vApp) Manager Multiple Vulnerabilities

http://seclists.org/fulldisclosure/2018/Feb/att-38/DSA-2018-024.txt

 

 --

Two Sentenced in Massive Payment Card Data Theft Case

(February 14 & 15, 2018)

Two Russian men have been sentenced to prison in the US for their roles in a massive cyberattack that stole and sold details of 160 million payment card accounts. Vladimir Drinkman was sentenced to 12 years; Dmitriy Smilianets was sentenced to just over four years.  


Read more in:

Reuters: Russian gets 12 years in U.S. prison for role in hacking scheme

https://www.reuters.com/article/us-usa-russia-cyberattack/russian-gets-12-years-in-u-s-prison-for-role-in-hacking-scheme-idUSKCN1FY39W

Cyberscoop: Two Russians sentenced to prison for role in hacks against U.S. companies

https://www.cyberscoop.com/two-russians-sentenced-to-prison-for-role-in-hacks-against-u-s-companies/

DoJ: Two Russian Nationals Sentenced to Prison for Massive Data Breach Conspiracy

https://www.justice.gov/usao-nj/pr/two-russian-nationals-sentenced-prison-massive-data-breach-conspiracy

 

 --

NY Finance Cybersecurity Law Deadline

(February 14, 2018)

Financial services companies doing business in the state of New York had until February 15 to certify their compliance with the New York State Department of Financial Services Cybersecurity Regulation.


Read more in:

Dark Reading: Filing Deadline for New Infosec Law Hits NY Finance Firms Thursday

https://www.darkreading.com/risk/compliance/filing-deadline-for-new-infosec-law-hits-ny-finance-firms-thursday/d/d-id/1331065

Dept. of Financial Services: Key Dates under New York's Cybersecurity Regulation (23 NYCRR Part 500)

http://www.dfs.ny.gov/about/cybersecurity.htm

 

 --

DHS Supply Chain Security Initiative

(February 14 & 15, 2018)

The US Department of Homeland Security's (DHS's) Jeanette Manfra told an audience at a Brookings Institution panel discussion that the agency has launched a supply chain security initiative. Calling it "a focused effort with dedicated staff," Manfra said that they are working with industry experts to identify the risks.


[Editor Comments]

[Northcutt] This is a good opportunity to reread NIST 800-161 on the same topic:

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pdf


[Pescatore] Supply chain security: good. More federal tax dollars being spent on "identifying the risks:" not good. I'd like to see DHS start with collecting best practices from private industry, other countries (like the UK and Australia) and even across government agencies, like DoD DIBNet.  The solution is more action changing existing processes and practices, not more reports.


Read more in:

FCW: DHS developing supply chain security initiative

https://fcw.com/articles/2018/02/14/dhs-supply-chain-security.aspx?admgarea=TC_Security

Nextgov: DHS to Scrutinize Government Supply Chain for Cyber Risks

http://www.nextgov.com/cybersecurity/2018/02/dhs-scrutinize-government-supply-chain-cyber-risks/145998/

FNR: DHS, lawmakers doubling down on supply chain risk management

https://federalnewsradio.com/cybersecurity/2018/02/dhs-lawmakers-doubling-down-on-supply-chain-risk-management/

Brookings: The federal Cybersecurity Framework 4 years later: What's next for cybersecurity?

https://www.brookings.edu/events/the-federal-cybersecurity-framework-4-years-later-whats-next-for-cybersecurity/

 

 --

Olympic Destroyer Malware Update

(February 14, 2018)

New details about the malware that targeted the 2018 Pyeongchang Winter Olympics are emerging. Dubbed Olympic Destroyer, the malware disrupted broadcasts of the opening ceremonies and temporarily took the Olympics website offline. Olympic Destroyer appears to wipe files on shared network drives and may have a more potent credential-stealing component than was first believed.


Read more in:

Threatpost: Researchers Find New Twists in 'Olympic Destroyer' Malware

https://threatpost.com/researchers-find-new-twists-in-olympic-destroyer-malware/129937/

 

 --

Satori Botnet

(February 14, 2018)

Satori botnet malware is spreading through a vulnerability in wireless routers that is unlikely to be fixed anytime soon. The malware infects Internet of Things (IoT) devices to harness their processing power to mine cryptocurrency and launch other attacks.


Read more in:

Ars Technica: A potent botnet is exploiting a critical router bug that may never be fixed

https://arstechnica.com/information-technology/2018/02/a-potent-botnet-is-exploiting-a-critical-router-bug-that-may-never-be-fixed/

 

 --

Patch Tuesday for Microsoft and Adobe

(February 13, 2018)

On Tuesday, February 13, Microsoft and Adobe released their scheduled monthly security updates. Microsoft's updates address more than 50 security issues in Windows, Internet Explorer, Edge, Outlook, and Office. One of the updates fixes two vulnerabilities in Adobe Flash, which ships with the most recent versions of Microsoft's browsers. Adobe's security updates address 39 vulnerabilities in Reader and Acrobat.  


[Editor Comments]

[Neely] This has been a busy month for Adobe, with the early release of the fix for the zero-day flash vulnerability (CVE-2018-4878) followed by updates for Reader and Acrobat. This would be a good time to make sure that flash is configured to ask before executing. The Microsoft patches address a number of memory corruption and privilege escalation flaws.

The SANS ISC has a nice rundown on the vulnerabilities and severities addressed with the patches from Microsoft and Adobe.


https://isc.sans.edu/forums/diary/February+2018+Microsoft+and+Adobe+Patch+Tuesday/23341/


Read more in:

KrebsOnSecurity: Microsoft Patch Tuesday, February 2018 Edition

https://krebsonsecurity.com/2018/02/microsoft-patch-tuesday-february-2018-edition/

SC Magazine: Microsoft Patch Tuesday: Nearly 50 patches, most for privilege escalation

https://www.scmagazine.com/microsoft-february-patch-tuesday/article/744166/

SC Magazine: Adobe Patch Tuesday patches issues in Acrobat, Reader and Experience manager

https://www.scmagazine.com/adobes-february-patch-tuesday/article/744165/

Microsoft: Security Update Summary

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

Adobe: Security updates available for Adobe Acrobat and Reader | APSB18-02

https://helpx.adobe.com/security/products/acrobat/apsb18-02.html

 

INTERNET STORM CENTER TECH CORNER

Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/February+2018+Microsoft+and+Adobe+Patch+Tuesday/23341/


Skype Update Privilege Escalation Vulnerability

http://seclists.org/fulldisclosure/2018/Feb/33


Winter Olympics Attack Launched via IT Provider

https://www.cyberscoop.com/atos-olympics-hack-olympic-destroyer-malware-peyongchang/


Double Door Botnet

https://blog.newskysecurity.com/doubledoor-iot-botnet-bypasses-firewall-as-well-as-modem-security-using-two-backdoor-exploits-88457627306d        


Skype Update Vulnerability Fixed in October

https://answers.microsoft.com/en-us/skype/forum/skype_newsms/update-on-installer-for-skype-for-windows-desktop/242f1415-1399-42e1-a6a2-cd535c8b7ff8?tm=1518635969608&auth=1


iOS Indian Character DoS

http://www.openradar.me/37458268


Telegram Vulnerability Exploited to Spread Cryptocoin Miner

https://securelist.com/zero-day-vulnerability-in-telegram/83800/


Meltdown Prime and SpectrePrime: More CPU Exploits Coming

https://arxiv.org/abs/1802.03802


OpenSSL Releases TLS 1.3 Alpha as Part of OpenSSL 1.1.1 pre release 1

https://www.openssl.org/news/openssl-1.1.1-notes.html


Executing Code in Word Without Macros

https://www.trustwave.com/Resources/SpiderLabs-Blog/Multi-Stage-Email-Word-Attack-without-Macros/


Phishing Via Google Ads Against Blockchain.info

http://blog.talosintelligence.com/2018/02/coinhoarder.html


******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create