Learn real-world cyber security skills from active industry experts in Anaheim. Save $150 thru 12/18.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #28

April 10, 2018


SANS NewsBites               April 10, 2018                Vol. 20, Num. 028



Russia Seeks to Ban Telegram Messaging App

Flaw in Cisco Switches Exploited in Targeted Attacks

Threadkit Document Exploit Builder Now Includes Exploit for Known Flash Flaw


Halderman on Voting Machine Security

Grid Dispute Caused Digital Clocks in Europe to Lose Six Minutes

Upgrade Causes Problems for Belgian Bank

Prison Time for Oracle Patch Pirates

Bolton's Aggressive Cyberstrike Rhetoric

911 Call Center Security


***************************  Sponsored By Splunk  ************************************

A Guide to Fraud in the Real World

Fraud is a growing problem as more parts of our lives are being touched by digitization. Download a free copy of A Guide to Fraud in the Real World to learn how much fraud is growing across different industries and how organizations are using machine data to find anomalies to fight fraud.  http://www.sans.org/info/203330



-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018

-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018

-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 https://www.sans.org/event/automotive-cybersecurity-summit-2018

-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018

-- SANS Northern VA Reston Spring 2018 | May 2025 | https://www.sans.org/event/northern-va-reston-spring-2018

-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018

-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018

-- SANS London June 2018 | June 4-12 | https://www.sans.org/event/london-june-2018

-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get a 12.9" iPad Pro, HP ProBook 450 G5 or take $350 off your OnDemand or vLive course by April 18. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

-- View the full SANS course catalog and Cyber Security Skills Roadmap






Russia Seeks to Ban Telegram Messaging App

(April 6 & 9, 2018)

Russia's Roskomnadzor, the Federal Service for Supervision of Communications, Information Technologies and Mass Media, has filed a lawsuit asking a court in that country to block the Telegram messaging app. Telegram has refused to provide Russian authorities with encryption keys.

[Editor Comments]

[Murray] Device to device encryption, such as Telegram, should not be relied upon for resisting nation states or for life and death applications.

[Neely]  When you're relying on encrypted communication, it is important to understand who has access to the encryption keys and under what conditions. Review the relevant certificate practices statement. Ideally manage those yourself.  While Telegram is fighting the FSB request for these keys, it is likely that Telegram will not only be banned in Russia, but also the users whose data they wish to decrypt will relocate to alternative services.

Read more in:

V3: Russia set to ban Telegram app for refusing to hand over decryption keys on demand


ZDNet: Russia moves to block Telegram after encryption key denial




Flaw in Cisco Switches Exploited in Targeted Attacks

(April 6 & 9, 2018)

Attackers are exploiting a critical flaw in Cisco switches to attack systems at elements of critical infrastructure in several countries. The issue lies in Cisco's Smart Install Client and has been used against data centers in Russia and Iran.  

[Editor Comments]

[Ullrich] The attackers exploit the fact that Smart Install is enabled. They are not exploiting a specific flaw; they are exploiting a badly designed system. Cisco offers a number of tools and settings to disable Smart Install.

Read more in:

Internet Storm Center: https://isc.sans.edu/forums/diary/Cisco+Smart+Install+vulnerability+exploited+in+the+wild/23535/

Cyberscoop: Nation-state hackers hit Cisco switches


The Register: Cisco mess from 2017 becomes tool for state-sponsored infrastructure attacks and defacements


ZDNet: Cisco security: Russia, Iran switches hit by attackers who leave US flag on screens


eWeek: Hackers Use Flaw in Cisco Switches to Attack Critical Infrastructure


Dark Reading: Attackers Exploit Cisco Switch Issue as Vendor Warns of Yet Another Critical Flaw



Threadkit Document Exploit Builder Now Includes Exploit for Known Flash Flaw

(April 9, 2018)

Document exploit builder Threadkit now includes an exploit for an Adobe Flash vulnerability. Adobe released a fix for the issue in February. Exploit code has been seen in the wild. The issue affects Flash versions 23 through

[Editor Comments]

[Ullrich] The Flash installed base has been shrinking rapidly, and we have seen fewer and fewer Flash exploits. This doesn't mean that you can let down your guard. This exploit will likely arrive as an Office document with embedded Flash file. I do not see a good reason to allow Office documents with embedded Flash content pass to users.

[Murray] It is impossible to patch Flash to anything approaching a safe state.   Stop using it.

Read more in:

The Register: Patch or ditch Adobe Flash: Exploit on sale, booby-trapped Office docs spotted in the wild


**************************  SPONSORED LINKS  ********************************

1) Join SANS for the 2nd Annual Automotive Cybersecurity Summit, May 7-8, in Chicago.   http://www.sans.org/info/203335

2) Do you believe in SOCs? How critical is the SOC to your organization? Take the SANS SOC survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/203340

3) Take the SANS IIoT Survey by April 9 to enter to win a $400 Amazon gift card! http://www.sans.org/info/203345




Halderman on Voting Machine Security

(April 9, 2018)

University of Michigan professor Alex Halderman spoke to students and faculty at the University of Maryland's school of engineering about voting machine security. Halderman noted that some of the measures that election officials cite as bolstering the security of electronic voting machines are not as effective as they seem at first glance. While decentralization of voting systems means that there is not one single point of entry to access voting machines across the country, attackers bent on influencing an election would likely focus on swing states, conducting more targeted probes of those systems. Halderman also said that air gapping electronic voting machines is not sufficient to protect them from hackers. Even if the voting machines are not connected to the Internet, they must be programmed with new ballots for each election, presenting a possible vector of attack.

[Editor Comments]

[Pescatore] The goal can *not* be to make voting systems invulnerable, since even in non-electronic voting systems there are many attack paths. The first goal has to be to require electronic voting systems to "design in" and "build in" basic security hygiene to provide at least the same level of integrity as physical systems. We have to avoid the "cult of the difficult problem" here.

[Murray] History teaches that election tampering is much more likely in the tabulating and reporting steps than in the recording step.  Modern scanners make the use of paper ballots  efficient, timely, demonstrable, and auditable.  Computer security should focus on the scanners, tabulators, and reporting systems.  Auditing of such systems and procedures should be routine.

Read more in:

Cyberscoop: Air gapping voting machines isn't enough, says one election security expert




Grid Dispute Caused Digital Clocks in Europe to Lose Six Minutes

(April 3 & 8, 2018)

An electrical grid dispute between Serbia and Kosovo caused some digital clocks across Europe to run six minutes slow. Clocks that are plugged into outlets usually tell time by the rate of electrical current. Earlier this year, the dispute between Serbia and Kosovo led to unmet demand in Kosovo, which slightly reduced the rate of electrical current across the Continental European Power System. The European Network of Transmission System Operators (ENTSO-E) fixed the problem by maintaining a slightly higher than usual rate of electrical current for a month.  

Read more in:

Ars Technica: European grid dispute resolved, lost 6 minutes returned to oven clocks


ENTSOE: Frequency deviations - Continental European TSOs have restored the situation to normal




Upgrade Causes Problems for Belgian Bank

(April 6, 2018)

After Belgian Bank Argenta updated its software, some customers reported transfer delays. On Tuesday, April 3, when online baking services came back online after the update, problems were immediately evident. As of Friday, April 6, Argenta's mobile application was once again available, but online banking was not.

Read more in:

Brussels Times: Argenta: mobile application available again, no online banking yet


The Register: Botched upgrade at Belgian bank Argenta sparks phishing frenzy




Prison Time for Oracle Patch Pirates

(April 6, 2018)

Four people have been sentenced for their roles in a scheme of stealing and selling Oracle and Sun firmware patches. The four men created phony companies, purchased service and support agreements for one server at each of the fake companies, downloaded Oracle's intellectual property, and sold it.

Read more in:

Bleeping Computer: Three Execs Get Prison Time for Pirating Oracle Firmware Patches




Bolton's Aggressive Cyberstrike Rhetoric

(April 1 & 4, 2018)

John Bolton, the newest US National Security Advisor, has a history of calling for an aggressive cyber stance. In speeches, op-eds, and television and panel appearances, Bolton has called for retaliatory cyber strikes against China, Russia, North Korea, and Iran. In a separate story, US Director of National Intelligence Dan Coats told an audience at a media breakfast that the US is seriously considering an offensive cyber strategy.

Read more in:

Politico: John Bolton, cyber warrior


The Hill: Intel chief wants to 'play offense' on cyber warfare




911 Call Center Security

(April 3, 2018)

The attack on the 911 call center computers in Baltimore last month is just the latest attack on an emergency call center. Over the past two years, there have been at least 42 cyberattacks that directly or indirectly impacted emergency call centers in the US. Two dozen of those were ransomware attacks and the rest mostly denial-of-service attacks. Emergency call centers are urging state and local governments as well as telecommunications companies to adopt Next Generation 911, which will let people make emergency calls through telecommunications providers and ISPs.  

[Editor Comments]

[Pescatore] The security problems with emergency response systems are very similar to the voting machine issues. 911 centers are typically funded and procured locally and often administered by local government IT organizations that are underfunded and undertrained. Federal funding and guidance has been scattered across multiple government agencies, as GAO pointed out in a 2014 report. In a recent NewsBites (Vol. 20, Number 25, March 30, 2018: EI-ISAC Plans to Install Intrusion Detection Sensors on Voter Registration Sites: https://www.sans.org/newsletters/newsbites/xx/25), I complimented the Center for Internet Security (who runs the MultiState ISAC) on their support for increasing the security of election systems - be great to see similar support to Public Safety Access Points.

Read more in:

NBCNews: Hackers have taken down dozens of 911 centers. Why is it so hard to stop them?




Pivotal Patches Multiple Spring Framework Vulnerabilities


Vigilante Hacktivists Attack Russian And Iranian Routers


Intel Removes NUC Remote Keyboard


"Beep" Still Vulnerable


Security Podcast Award Voting


Bing Displays Malicious Links for Google Chrome Download Queries


Remote Code Execution Vulnerability in CyberArk


Enabling DNS Over TLS Using Unbound


Turning off Smart Install in Cisco Switches


Adobe Flash Exploit in the Wild for CVE-2018-4878

https://www.youtube.com/watch?v=cjPn1cQy_FE&feature=youtu.be (turn sound off)



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create