Learn How to Thwart Cyber Attackers with Training in New Orleans. Save $350 thru 3/27.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #14

February 20, 2018


SANS NewsBites               February 20, 2018                Vol. 20, Num. 014



Amazon Web Services S3 Bucket Exposes FedEx Data

Charter of Trust Emphasizes Importance of Cybersecurity in Government and Business Decisions

Two More SWIFT Thefts Disclosed

US Dept. of Energy Establishes Cybersecurity Office


AMSI Null Character Flaw Fix Included in February Patch Tuesday

Apple Updates OSes to Fix App Crash Problem

Google Chrome Now Blocking Some Annoying Ads

US Dept. of Justice Reveals Russian Indictment

IRS Wants Hiring Flexibility Reauthorization



***************************  Sponsored By Menlo Security  *******************

Trust Hacking: Cyber Criminals are Exploiting Traditional Measures of Trust on the Web.  In 2017, cyber criminals successfully exploited long-held measures of trust, such as site reputation or category, to avoid detection and increase the effectiveness of their attacks.

The State of the Web 2017 report uncovered 42% of Alexa's top 100,000 sites were risky. Learn more by downloading this report. http://www.sans.org/info/202090



-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018

-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018            

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS Northern VA Spring - Tysons 2018 | March 17-24 | https://www.sans.org/event/northern-va-spring-tysons-2018

-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018

-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018

-- SANS at RSA(R) Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018

-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018

-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018

-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off your OnDemand or vLive training course by February 21. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all





Amazon Web Services S3 Bucket Exposes FedEx Data

(February 15, 2018)

An unsecured Amazon Web Services (AWS) S3 server exposed sensitive data belonging to tens of thousands of FedEx customers. Compromised information includes scanned passports, driver's licenses, and other identification documents. The data were originally collected by a company called Bongo International which was acquired by FedEx in 2014.

[Editor Comments]

[Pescatore] Here at the SANS Cloud Security Summit in San Diego we've had several great user presentations on how easy it is to prevent insecure use of "storage as a service," especially Amazon's S3. The continuing stream of exposures shows that it is still too easy to do it wrong, however - important to use the S3 tools available, and/or cloud security add on tools, to find the inevitable "hey, look at what someone left in the airline seat pocket!" events.

Read more in:

SC Magazine: Open AWS S3 bucket exposes private info on thousands of Fedex customers


Ars Technica: Mountains of sensitive FedEx customer data exposed, possibly for years



Charter of Trust Emphasizes Importance of Cybersecurity in Government and Business Decisions

(February 16, 2018)

Industrial control systems (ICS) company Siemens, along with several number of large, multi-national companies, has signed a Charter of Trust. The charter aims to protect critical infrastructure around the world by calling on governments and organizations to make cybersecurity a primary concern in developing products and making business decisions.

[Editor Comments]

[Neely] Driving security from the provider side, coupled with the work from NIST establishing security baselines, a key factor in raising the bar on IoT security. The plan includes certification, regulatory frameworks, sharing incidents, and education, which when combined with efforts such as DOEs CESER below, have a real chance in making a difference.

Read more in:

Dark Reading: Siemens Leads Launch of Global Cybersecurity Initiative


Bloomberg: Siemens Teams With Airbus to IBM in Cyberattack Defense Plan


Siemens: Charter of Trust https://www.siemens.com/global/en/home/company/topic-areas/digitalization/cybersecurity.html


Two More SWIFT Thefts Disclosed

(February 15, 16, & 19, 2018)

In a report from the Russian central bank, the financial institution disclosed that it lost 339.5 million roubles ($6 million USD) to thieves using the SWIFT international payments messaging system. The attack occurred in 2017. In a separate story, India's City Union Bank disclosed that thieves abused the SWIFT system to steal a total of $1.8 million USD earlier this year.

Read more in:

The Register: Crims pull another SWIFT-ie, Indian bank stung for nearly US$2m


SC Magazine: Hackers pilfered $6M from Russian central bank via SWIFT system


Reuters: Hackers stole $6 million from Russian bank via SWIFT system: central bank


City Union Bank: Press Release: Cyber Attack on Our Bank's SWIFT System



US Dept. of Energy Establishes Cybersecurity Office

(February 14 & 16, 2018)

The US Department of Energy (DoE) is establishing the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), which will receive $94 million USD in funding according to the proposed budget. CESER will help protect the country's power grid and other critical infrastructure elements from cyber attacks, physical attacks, and natural disasters.

[Editor Comments]

[Neely] DOEs budget also includes $395 million for cybersecurity risk management to cover securing the rest of DOEs systems.

Read more in:

NYT: U.S. Energy Department Forming Cyber Protection Unit for Power Grids


FCW: DOE plans cyber office, supercomputing expansion


SC Magazine: U.S. DOE creates new cybersecurity office


**************************  SPONSORED LINKS  ********************************

1) Free eBook: 7 Experts on Moving to a Cloud-Based Endpoint Security Platform - Download Now:  http://www.sans.org/info/202095

2) Don't Miss:  "It's Time to Move Endpoint Security to the Cloud" with John Pescatore.  Register:  http://www.sans.org/info/202100

3) What is your definition of an advanced SOC if you are a CISO, a SOC Manager, or a security analyst? Register to hear SANS instructor Chris Crowley discuss it: http://www.sans.org/info/202105




AMSI Null Character Flaw Fix Included in February Patch Tuesday

(February 16 & 19, 2018)

Among the security issues addressed in Microsoft's February security updates is a flaw in the Anti-Malware Scan Interface (AMSI) that allows malware with an embedded null character to bypass AMSI scans. Unpatched, AMSI scans files until it reaches a null character; the remainder of the file is ignored.

Read more in:

Bleeping Computer: Null Character Bug Lets Malware Bypass Windows 10 Anti-Malware Scan Interface


Standa-Note: AMSI Bypass With a Null Character




Apple Updates OSes to Fix App Crash Problem

(February 19, 2018)

Apple has released updates for iOS (11.2.6), macOS (10.13.3), TVOS (11.2.6), and WatchOS (4.2.3) to fix an issue that was causing apps to crash. The problem arose when a certain Indian language character was displayed. Apps that crash as a result need to be uninstalled and reinstalled to function properly again.    

[Editor Comments]

[Neely] While this sounds similar to a flaw in iMessaging in 2016, that crash used a lot of data while this flaw only requires a single character to take out your application, or possibly the iOS UI, e.g. springboard.  Pushing this update is a good idea. If you have applications that were crashed exploiting this flaw, they will need to be reinstalled, otherwise the OS update is sufficient.

Read more in:

CNET: Apple updates operating systems to fix app-crashing bug




Google Chrome Now Blocking Some Annoying Ads

(February 14 & 17, 2018)

As of Thursday, February 15, Google's Chrome browser is blocking intrusive advertisements. Chrome is filtering out ads that fail to meet a list of criteria known as the Better Ad Standards. Advertisements that include pop-ups, auto-playing video with sound, ads that cover the screen and include a countdown, and large images that remain at the bottom of a page even when users scroll down are among those that are being filtered. Ads will be filtered on both desktop and mobile versions of Chrome. Users will see a message notifying them that ads are being blocked and offering the option to display the ads.

Read more in:

Chromium Blog: Under the hood: How Chrome's ad filtering works


Ars Technica: Good news: Chrome debuts automatic blocking of annoying ads




US Dept. of Justice Reveals Russian Indictment

(February 16, 2018)

The US Department of Justice (DoJ) has released an indictment against 13 Russian individuals and three Russian companies for allegedly interfering with the US 2016 presidential election. The individuals named in the indictment allegedly hid their identities by using identities stolen from US citizens, renting US-based servers, and using a VPN. The indictment alleges that the interference began in 2014.

[Editor Comments]

[Honan] This is not the first time governments have interfered with the election process in other countries, however it is a stark reminder that nations should consider how their elections can be influenced and undermined by social media and other online platforms and not just traditional means.

Read more in:

Dark Reading: 13 Russians Indicted for Massive Operation to Sway US Election


Cyberscoop: Indictments reveal how Russia's 2016 election information warfare worked


The Register: Mueller bombshell: 13 Russian 'troll factory' staffers charged with allegedly meddling in US presidential election


Washington Post: Russian troll farm, 13 suspects indicted in 2016 election interference


Reg Media: Indictment (PDF)




IRS Wants Hiring Flexibility Reauthorization

(February 15, 2018)

In testimony before the US Senate Finance Committee, acting Internal Revenue Service (IRS) commissioner David Kautter asked legislators to reauthorize the agency's critical pay authorization, which allows the IRS to expedite the hiring of private sector talent in critical areas like cybersecurity. The IRS was initially granted critical pay authorization in 1998's IRS Reauthorization and Reform Act, but the agency's authority to hire under that law expired in 2013.   

[Editor Comments]

[Neely] This allows the IRS to hire needed talent at competitive rates for the duration needed, which is excellent for resolving immediate problems, beyond resisting and responding to cyber-attacks, the agency is delivering an increasing percentage of services through on-line channels which need security from the ground up. Ultimately, the agency needs to develop a long term cybersecurity program that is self-sustaining.

Read more in:

FNR: Acting IRS commissioner seeks flexible hiring authority for cyber talent




Inspecting Malicious MSI Files


Monero Miner Injected via Jenkins Flaw


Microsoft Edge Arbitrary Code Guard Bypass


macOS APFS May Lose Data


Apple Releases Fix for Unicode Messaging DoS Flaw in All Operating Systems


Flight Simulator Mod Company Uses Password Stealer to "Fight Back"



Bypassing Microsoft's Anti Malware Scan Interface




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create