OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #26

April 3, 2018


SANS NewsBites               April 3, 2018                Vol. 20, Num. 026



  Microsoft Emergency Patch for Meltdown Flaw

  Software Bug Caused October 2016 Phone Outage

  Apple Updates macOS, iOS


  Google Moves to Protect Chrome Web Store Users from Cryptomining

  DoD Moving to Risk Management Framework for IT Systems Authorization

 Grid Security Exercise Demonstrates Need for Increased Security Clearances

  Panera Website Data Leak

  Upscale Department Store Payment System Breached

  Under Armour Breach Affects 150 Million MyFitnessPal Accounts

  Nikulin Extradited to US

  macOS Bug Exposes External Drive Passwords

  Maryland High School Teams Take Four of Five Top Spots in GirlsGoCyberStart Competition


***************************  Sponsored By Unisys  ************************************

Don't Miss: "Digital Trust in a Perimeter Less World" Learn about protecting assets critical to an organization's continued operations, without impeding productivity. Register: http://www.sans.org/info/203235



-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018


-- SANS at RSA(R) Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018


-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018

-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018


-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018


-- SANS Northern VA Reston Spring 2018 | May 20-25 | https://www.sans.org/event/northern-va-reston-spring-2018


-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018


-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018


-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018


-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Special Offer: Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive training course by April 4.



-- Can't travel? SANS offers online instruction for maximum flexibility

Live Daytime training with Simulcast - https://www.sans.org/simulcast

Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/


View the full SANS course catalog and Cyber Security Skills Roadmap






Microsoft Emergency Patch for Meltdown Flaw

(March 29 & 30, 2018)

Microsoft fixed problematic patches released in January, February, and March with an emergency update on Thursday, March 29, 2018. The initial patches meant to address the Meltdown bug actually introduced a new problem. Microsoft issued a fix for the new problem as part of its monthly security update on Tuesday, March 13, but that fix was found to be incomplete.   

[Editor Comments]

[Many Editors] Microsoft doesn't issue emergency patches unless they see lack of immediate patching as negligence on the part of their customers. And negligence carries legal liability.

Read more in:

Microsoft: CVE-2018-1038 | Windows Kernel Elevation of Privilege Vulnerability


Dark Reading: Microsoft Rushes Out Fix for Major Hole Caused by Previous Meltdown Patch


The Register: Microsoft patches patch for Meltdown bug patch: Windows 7, Server 2008 rushed an emergency fix


Threatpost: Microsoft Fixes Bad Patch That Left Windows 7, Server 2008 Open to Attack




Software Bug Caused October 2016 Phone Outage

(March 31, 2018)

According to a report from the US Federal Communications Commission (FCC), an October 2016 major telephony outage in the US was the result of a software bug. An employee at the Level 3 telecommunications company, which is now part of CenturyLink, was entering phone numbers associated with malicious activity into software so they could be blocked. When the employee left a field empty, the software did not ignore it, but instead interpreted the blank field as a "wildcard," and blocked all telephone calls. The company's telephony network was down for just under an hour-and-a-half on October 4, 2016.  

[Editor Comments]

[Pescatore/Paller] Let's all hope the 2016 outage resulted in L3 consistently run the code through some code testing tools (or use a managed bug bounty kind of program) and check for other dangerous surprises, with real consequences for development teams that fail to do so.

Read more in:

Bleeping Computer: Software Bug Behind Biggest Telephony Outage in US History




Apple Updates macOS, iOS

(March 30, 2018)

On Thursday, March 29, Apple updated its desktop and mobile operating systems. macOS High Sierra users should update to version 10.13.4, and iOS users should update to version 11.3. Apple has also released updates for tvOS and watchOS.

[Editor Comments]

[Neely] With iOS 11.3 Apple attempts to address the battery concerns with the new Beta battery health function which calculates the maximum charge your battery can hold, as well as the ability to disable the device slowing performance management feature. The setting is available only after the iPhone has shutdown unexpectedly. These features are not available for the iPad. Before pushing iOS 11.3 out to the enterprise, make sure any locally-produced apps that leverage MDM-provided SDK features will operate properly and not produce false positive jailbreak notifications.

Read more in:

Apple: About the macOS High Sierra 10.13.4 Update


Apple: iOS 11.3 is available today


SC Magazine: Newest Apple releases squash bugs in iOS, macOS, Safari, various apps


eWeek: Apple Releases iOS 11.3, macOS 10.13.4 Updates to Improve Security


Ars Technica: Apple's macOS 10.13.4 is here with full external GPU support


Ars Technica: Apple releases iOS 11.3, the biggest update for iPhones since iOS 11 first launched



**************************  SPONSORED LINKS  *********************************

1) Avoid the pitfalls of reputation-based WAFs using contextual behavioral analysis - free guide from Threat X http://www.sans.org/info/203220

2) Do you believe in SOCs? How critical is the SOC to your organization? Take the SANS SOC survey and enter to win a $400 Amazon gift card. http://www.sans.org/info/203225

3) Take the SANS IIoT Survey by April 9 to enter to win a $400 Amazon gift card! http://www.sans.org/info/203230




Google Moves to Protect Chrome Web Store Users from Cryptomining

(April 2, 2018)

Google's Chrome Web Store is no longer accepting extensions that mine cryptocurrency, even if it is the express purpose of the extension. In June, Google plans to delist all current cryptomining extensions. Google's policy prior to this change was to allow cryptomining extensions as long as cryptomining was the extension's sole function and users were sufficiently informed about the activity.

Read more in:

Chromium: Protecting users from extension cryptojacking


ZDNet: Google to crack down on cryptojacking on Chrome




DoD Moving to Risk Management Framework for IT Systems Authorization

(April 2, 2018)

The US Department of Defense (DoD) is replacing the DoD Information Assurance Certification and Accreditation Process (DIACAP) for authorizing IT systems with the Risk Management Framework (RMF). The shift began in March 2014 with DoD Instruction 8510.01. The framework helps organizations using it assess the risks posed by their particular IT systems and manage those risks by choosing security controls best suited to each situation.

[Editor Comments]

[Pescatore] One of my New Year's resolutions was to refrain from "big sigh" type comments in Newsbites, but: the NIST Risk Management Framework first came out in February 2010, over 8 years ago, which was about the same time DoD started talking about DITSCAP/DIACAP moving to a risk based approach. Yet, every advance in actual government system security I can think of has come from improvements in basic security hygiene and operational practices, not via magical discoveries via risk frameworks.

Read more in:

FNR: New risk management framework expected to improve DoD cybersecurity




Grid Security Exercise Demonstrates Need for Increased Security Clearances

(April 2, 2018)

GridEx, a two-day US power grid cybersecurity exercise conducted in November 2017, found that too few utility employees have clearances that allow them access to the classified information necessary to manage threats. A report from the North American Electric Reliability Corporation (NERC) says that the "government should plan to quickly declassify information that utilities need to prevent or respond to attacks." The report also notes that some participants felt that the exercise "did not offer an effective opportunity for electric utilities to exercise their external communications response plans with external organizations, such as law enforcement and state emergency managers."

[Editor Comments]

[Honan] An important point was raised in this exercise relating to external communications with law enforcement agencies. This is a critical element of any response and needs to be properly tested. I would also posit the organisations running such exercises should test do they have contact details and communications channels with their peer organisations within their industry sector. If an attack is targeting a particular sector, rather than individual entities, it is essential you have the proper means to enable open communications with other organisations so you can determine how widespread the attack is and how best to respond.

Read more in:

NERC: Grid Security Exercise GridEx IV: Lessons Learned (PDF)


Cyberscoop: Electric grid hacking exercise puts spotlight on shortage of security clearances




Panera Website Data Leak

(April 2, 2018)

The Panera Bread restaurant website was leaking customer data for at least eight months until it was taken offline on Monday, April 2. The compromised data include names, email and physical addresses, birth dates, and the last four numbers of payment cards. The leak affected customers who had signed up for an account to order food online. The data were accessible in part because "Panera Bread uses sequential integers for account IDs."

Read more in:

KrebsOnSecurity: Panerabread.com Leaks Millions of Customer Records




Upscale Department Store Payment System Breached

(April 1 & 2, 2018)

Payment systems at some brick-and-mortar Saks Fifth Avenue and Lord & Taylor department stores have been breached. As many as five million payment card numbers allegedly stolen from the stores' systems are being offered for sale online. The breach does not appear to affect online transactions. Both stores are owned by The Hudson's Bay Company, which says that steps have been taken to contain the breach.  

Read more in:

Reuters: Saks, Lord & Taylor hit by payment card data breach


SC Magazine: Saks, Lord & Taylor breached, 5 million payment cards likely compromised


The Register: Hacks Fifth Avenue: Crooks slurp bank cards from luxury chain Saks


NYT: Card Data Stolen From 5 Million Saks and Lord & Taylor Customers




Under Armour Breach Affects 150 Million MyFitnessPal Accounts

(March 29, 30, & April 2, 2018)

Late last week, Under Armour disclosed that its MyFitnessPal app and website had been breached, exposing personal Account information of as many as 150 million accounts. The incident occurred in February 2018. The breach did not affect payment account data, as Under Armour processes that information separately.  

[Editor Comments]

[Honan] Under Armour was quick to respond to media queries and informed affected users in a timely manner. Well done. In today's threat landscape companies will not be judged on the fact they have a breach but rather how they respond to it.

Read more in:

Under Armour: Under Armour Notifies MyFitnessPal Users Of Data Security Issue


SC Magazine: Under Armour deftly manages breach, dodges GDPR scrutiny


ZDNet: Under Armour says 150 million MyFitnessPal accounts hit by data breach


Threatpost: Under Armour Reports Massive Breach of 150 Million MyFitnessPal Accounts




Nikulin Extradited to US

(March 30, 2018)

Yevgeniy Nikulin has been extradited to the US to face charges related to his alleged role in cyberattacks against LinkedIn, Dropbox, and Formspring. In a hearing in a federal courtroom in San Francisco, California, Nikulin pleaded not guilty to charges of illegally accessing computers. Nikulin was arrested in Czechia in 2016 and had fought extradition.

Read more in:

Ars Technica: Finally extradited from Europe, suspected LinkedIn hacker faces US charges


Reuters: Russian accused of massive U.S. hacking is extradited, pleads not guilty




macOS Bug Exposes External Drive Passwords

(March 21 & 28, 2018)

A bug in APFS file system for macOS High Sierra exposes encrypted external drives' passwords in plaintext. The issue affects macOS High Sierra 10.13 and 10.13.1; later versions of High Sierra are not affected.  

Read more in:

Mac4n6: Uh Oh! Unified Logs in High Sierra (10.13) Show Plaintext Password for APFS Encrypted External Volumes via Disk Utility.app


HackerNews: Apple macOS Bug Reveals Passwords for APFS Encrypted Volumes in Plaintext




Maryland High School Teams Take Four of Five Top Spots in GirlsGoCyberStart Competition

(April 2, 2018)

The GirlsGoCyberStart competition, which took place in February, found 6,650 young women from 17 states and territories competing in cybersecurity challenges over a five-day period. Teams from Maryland high schools took four of the top five top positions.

[Editor Comments]

[Pescatore] In all my years of working in government and industry, some of the worst decisions we made came from "groupthink" - anything that increases cybersecurity skills across a diverse group of people is really, really valuable.

Read more in:

Maryland DLLR: Maryland High School Girls Prove State's Future as Cybersecurity Hub




Apple Patches Everything


More Targeted Ransomware


Most ICO's are Scams



Microsoft Patching Total Meltdown Patch Again (hopefully for real)


APFS Still Logging Some Encryption Passphrases



Cloudflare Announcing Anonymous/Fast DNS Service



Detecting Phishing PDFs With Multiple Links


Chrome Removing Cryptocoin Mining Extensions


Fake Kaspersky Antivirus Malware


More Web-RTC VPN Leaks




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create