Save $350 on Hands-on Cyber Security Training at SANS Sonoma 2019! Ends 11/21.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #29

April 13, 2018


****************************************************************************

SANS NewsBites               April 13, 2018                Vol. 20, Num. 029

****************************************************************************

TOP OF THE NEWS

  Atlanta's Expensive Ransomware Recovery

Cryptocurrency Exchange Coinsecure Theft

US Copyright Office Considering DMCA Exemption for Voting Machines

REST OF THE WEEK'S NEWS

  GDPR Compliance Deadline is May 25

Nikulin Legal Team Exploring Plea Deal

Cyber Storm VI Cyberspace Exercise

Emergency Alert System Vulnerability

SAP Update

Microsoft Patch Tuesday

Adobe Patch Tuesday

NIST Software Security Assessment

INTERNET STORM CENTER TECH CORNER


***************************  Sponsored By Authentic8  ***********************


SOC analysts who use a cloud browser can reduce the time spent investigating cases by more than 50%. Instead of wasting time spinning up a VDI or connecting to a jumpbox, get online in seconds with a secure cloud browser and egress from hundreds of points of presence around the world. http://www.sans.org/info/203390


*****************************************************************************

TRAINING UPDATE


-- SANS Security West 2018 | San Diego, CA | May 11-18 https://www.sans.org/event/security-west-2018


-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 https://www.sans.org/event/automotive-cybersecurity-summit-2018


-- SANS Melbourne 2018 | May 14-26 https://www.sans.org/event/melbourne-2018


-- SANS Northern VA Reston Spring 2018 | May 2025 https://www.sans.org/event/northern-va-reston-spring-2018


-- SANS Amsterdam May 2018 | May 28-June 2 https://www.sans.org/event/amsterdam-may-2018


-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 https://www.sans.org/event/rocky-mountain-2018


-- SANS London June 2018 | June 4-12 https://www.sans.org/event/london-june-2018


-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 https://www.sans.org/event/digital-forensics-summit-2018


-- SANS Cyber Defence Canberra 2018 | June 25-July 7 https://www.sans.org/event/cyber-defence-canberra-2018


-- SANS OnDemand and vLive Training The SANS Training you want with the flexibility you need. Special Offer: Get a 12.9" iPad Pro, HP ProBook 450 G5 or take $350 off your OnDemand or vLive course by April 18. https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************

TOP OF THE NEWS

 --

Atlanta's Expensive Ransomware Recovery

(April 12, 2018)

Recovering from a ransomware attack can be costly. The city of Atlanta, Georgia has spent $2.7 million USD cleaning up an attack that started on March 12. Colorado's Department of Transportation (DOT) has spent $1.5 million USD on the aftermath of an attack that began on February 22. Both systems were hit with SamSam ransomware.  


[Editor Comments]

[Murray] It is ironic that even when there are insufficient resources to prevent, there are always resources to remediate, for that which must be done.


[Williams] There is a lot of nuance in these numbers not being reported.  While the numbers reported are definitely being spent by the respective cities, these are not all direct costs relating to incident recovery. Much of the money being spent is being used to replace end of life infrastructure and fortify defenses. While money should definitely be allocated to these activities, this reporting highlights a larger problem in reporting incident response spending - namely that there's no accepted practice for what is (and isn't) reported as an incident response cost. Until reporting is standardized, we can't compare the relative costs of responding to incidents such as these.


Read more in:

SC Magazine: Atlanta, Colorado DOT ransomware mitigation costing millions

https://www.scmagazine.com/atlanta-colorado-dot-ransomware-mitigation-costing-millions/article/758034/


 --

Cryptocurrency Exchange Coinsecure Theft

(April 12, 2018)

More than $3 million USD worth of Bitcoin was stolen from the Coinsecure cryptocurrency exchange. The company's CEO has accused his CSO of the theft. The incident occurred just days after the Reserve Bank of India banned banks and other financial institutions from trading in cryptocurrencies.


[Editor Comments]

[Williams] Another major cryptocurrency theft at an exchange? Nobody involved in this market is surprised. Banks have been regulated for years and still have issues with their online security. By comparison, cryptocurrency exchanges are the Wild West.  Putting your money in an exchange right now is like running a classified advertisement for someone to hold some money for you - maybe it works out okay, but if it doesn't, nobody will be surprised. Seriously, if you value your hard-earned money, keep it out of cryptocurrency exchanges.


Read more in:

Bleeping Computer: $3.3 Million Stolen From Coinsecure Bitcoin Exchange, Inside Job Suspected

https://www.bleepingcomputer.com/news/security/33-million-stolen-from-coinsecure-bitcoin-exchange-inside-job-suspected/

 

 --

US Copyright Office Considering DMCA Exemption for Voting Machines

(April 11, 2018)

As part of its triennial exemption process for the Digital Millennium Copyright Act (DMCA), the US Copyright Office is considering expanding the scope of exceptions to DMCA to include voting machines, which would allow researchers to probe the devices for vulnerabilities without fear of legal repercussion. At a hearing earlier this week, researchers and vendor representatives voiced their opinions about the possible change.


[Editor Comments]

[Pescatore] It is hard to find good data around the use of DMCA to hinder legitimate security investigations but a 2010 EFF report cited only12 such actions in the first 12 years of DMCA. However, it remainsn clear that the exemptions are needed to remove all obstacles in the way of making sure that product vendors clearly see that selling vulnerable products will result in lower profits than selling safe products.


[Williams] Security through obscurity isn't security at all. There is no sane reason not to allow broader inspection of electronic voting machines. The only people seriously opposing this are manufacturers afraid of looking bad (and their lobbyists).


Read more in:

Cyberscoop: Security researchers and industry reps clash over voting machine security testing

https://www.cyberscoop.com/voting-machine-dmca-exemption-security-research-hearing/?category_news=technology

 

**************************  SPONSORED LINKS  ********************************


1) Join SANS for the 2nd Annual Automotive Cybersecurity Summit, May 7-8, in Chicago. http://www.sans.org/info/203395


2) How do complex systems affect the cost of your endpoint management? Take our survey: http://www.sans.org/info/203400


3) Do you believe in SOCs? How critical is the SOC to your organization? Take the SANS SOC survey and enter to win a $400 Amazon gift card |http://www.sans.org/info/203405


*****************************************************************************

THE REST OF THE WEEK'S NEWS     

 --

GDPR Compliance Deadline is May 25

(April 12, 2018)

Businesses have until May 25, 2018, to comply with the General Data Protection Regulation (GDPR), which is designed to protect EU citizens' privacy and data security. The EU Parliament approved the GDPR in April 2016.  A PwC survey found that compliance efforts can be expensive; more than 60 percent of the companies surveyed planned to spend $1 million USD or more.


Read more in:

EUGDPR: GDPR Portal: Site Overview

https://www.eugdpr.org/

Forbes: Preparing For GDPR And All Its Unpredictability

https://www.forbes.com/sites/forbestechcouncil/2018/04/12/preparing-for-gdpr-and-all-its-unpredictability/#7d9b5505feb1

 

 --

Nikulin Legal Team Exploring Plea Deal

(April 12, 2018)

Attorneys for Yevgeniy Nikulin are exploring a plea deal for their client who allegedly stole data from LinkedIn and other organizations. Nikulin was arrested in Czechia in 2016 and was extradited to the US in March 2018; he pleaded not guilty to charges of computer intrusion; intentional transmission of information, code, or command causing damage to a protected computer; aggravated identity theft; and trafficking in unauthorized access devices and conspiracy.  


Read more in:

Cyberscoop: Extradited Russian explores plea deal for massive LinkedIn breach

https://www.cyberscoop.com/yevgeniy-nikulin-russian-hacker-linkedin-breach-plea-deal/?category_news=technology

 
 

 --

Cyber Storm VI Cyberspace Exercise

(April 11, 2018)

The US Department of Homeland Security (DHS) is running the Cyber Storm VI cybersecurity exercise this week. The exercise will include more than 1,000 players from DHS, the National Cybersecurity and Communications Integration Center, federal law enforcement agents, state governments, and private sector companies that are part of the country's critical infrastructure. "The exercise helps assess cybersecurity preparedness; examines incident response processes, procedures, and information sharing; and identifies areas for improvement."


Read more in:

FNR: Cyber experts take critical infrastructure systems by 'storm' this week

https://federalnewsradio.com/cybersecurity/2018/04/cyber-experts-take-critical-infrastructure-systems-by-storm-this-week/

DHS: Cyber Storm VI: National Cyber Exercise

https://www.dhs.gov/cyber-storm-vi

 

 --

Emergency Alert System Vulnerability

(April 10, 2018)

A vulnerability in the radio protocol of certain systems used to manage emergency sirens and alerts could be exploited to activate false alarms. The issue was initially discovered in the ATI systems in San Francisco. Officials there have been working to address the problem since February.    


[Editor Comments]

[Neely] When radio transmissions are part of your system, don't forget that can be equivalent to shouting down the hall. Even when encryption is used, due diligence is required to stay secure. Updates often require physical access and/or new hardware to protect critical infrastructure as was the case when we stopped using DES to protect microwave transmissions.  It took the researcher two years to reverse engineer the system, leveraging the monthly tests and SDR. The fix from ATI adds needed encryption to the transmission.


Read more in:

SFGate: Security firm: All it took was $35 and a laptop to hack SF emergency alert system

https://www.sfgate.com/news/article/Security-firm-All-it-took-was-35-and-a-laptop-12822536.php

Threatpost: Vulnerability in San Francisco's Public Safety Warning Sirens Fixed

https://threatpost.com/vulnerability-in-san-franciscos-public-safety-warning-sirens-fixed/131117/

 

 --

SAP Update

(April 11, 2018)

SAP's April update addresses 10 security issues. The most serious of the vulnerabilities is a memory corruption/code injection issue that affects SAP's Business Client and has been given a CVSS rating of 9.8.


Read more in:

The Register: SAP's Business Client can own entire apps, DDOS them into dust

http://www.theregister.co.uk/2018/04/11/sap_april_2018_security_update/

SAP: SAP Security Patch Day - April 2018

https://blogs.sap.com/2018/04/10/sap-security-patch-day-april-2018/

 

 --

Microsoft Patch Tuesday

(April 10 & 11, 2018)

On Tuesday, April 10, Microsoft released updates to address at least 65 security issues in Windows and other products. One of the fixes is for a flaw in Outlook that could be exploited to steal a user's password by tricking the user into previewing an email with a Rich Text Format (RTF) attachment that contains a remotely-hosted OLE object. The flaw was first detected more than a year ago.


Read more in:

The Register: It's April 2018 - and Patch Tuesday shows Windows security is still foiled by fiendish fonts

http://www.theregister.co.uk/2018/04/10/its_april_2018_and_windows_10_pwned_with_fonts/

KrebsOnSecurity: Adobe, Microsoft Push Critical Security Fixes

https://krebsonsecurity.com/2018/04/adobe-microsoft-push-critical-security-fixes-12/

Threatpost: Outlook Bug Allowed Hackers to Use .RTF Files to Steal Windows Passwords

https://threatpost.com/outlook-bug-allowed-hackers-to-use-rtf-files-to-steal-windows-passwords/131169/

ZDNet: Windows security: Microsoft patch for Outlook password leak bug 'not a full fix'

https://www.zdnet.com/article/windows-security-microsoft-patch-for-outlook-password-leak-bug-not-a-full-fix/

Microsoft: Release Notes: April 2018 Security Updates

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/abf77563-8612-e811-a966-000d3a33a34d

Microsoft: Security Update Summary

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

 

--

Adobe Patch Tuesday

(April 10 & 11, 2018)

On Tuesday, April 10, Adobe released fixes for 19 security issues in a variety of products. Four of the flaws that affect Flash Player and InDesign are rated critical.   


Read more in:

Threatpost: Adobe Patches Four Critical Bugs in Flash, InDesign

https://threatpost.com/adobe-patches-four-critical-bugs-in-flash-indesign/131097/

Adobe: Adobe Security Bulletins and Advisories

https://helpx.adobe.com/security.html

 

--

NIST Software Security Assessment

(April 10, 2018)

NIST has released NISTIR 8011 Volume 3: Automation Support for Security Control Assessments. The draft document offers guidance for implementing automated Software Asset Management. NIST is accepting comments until May 4, 2018.


[Editor Comments]

[Pescatore] The draft document weighs in at 179 dense pages, which points out why turning on application control and privilege management on all endpoints (which all users live with regularly on their iPhones and iPads) as basic security hygiene not only raises the bar against attacks but can also greatly simplify the continuous monitoring and assessment effort.


Read more in:

GCN: NIST details software security assessment process

https://gcn.com/articles/2018/04/10/nist-software-asset-management.aspx?admgarea=TC_SecCybersSec

NIST: Automation Support for Security Control Assessments

https://csrc.nist.gov/CSRC/media/Publications/nistir/8011/vol-3/draft/documents/nistir-8011-vol3-draft.pdf

 

INTERNET STORM CENTER TECH CORNER

MSFT Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+April+2018+Patch+Tuesday/23539/

https://insights.sei.cmu.edu/cert/2018/04/automatically-stealing-password-hashes-with-microsoft-outlook-and-ole.html


Vulnerable Emergency Sirens

https://www.sirenjack.com


iOS Contacts Access Control

http://jordansmith.io/address-book-contact-security/

        

UAdmin Phishing Backend

https://isc.sans.edu/forums/diary/A+Phishers+View+of+Phishing+UAdmin+27+Phishing+Control+Panel/23543/


Insecure SecureRandom

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018-April/015873.html


WebAuthn for Post Password Authentication

https://www.w3.org/TR/2018/CR-webauthn-20180320/

        

Drupal RCE Exploit Released

https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/


Broken Macro in Malspam Campaign

https://isc.sans.edu/forums/diary/Glitch+in+malspam+campaign+temporarily+reduces+spread+of+GandCrab/23547/


New Random Number Generator Using Entangled Photons

https://www.nature.com/articles/s41586-018-0019-0.epdf


Fake Updates Campaign Spreading Malware

https://blog.malwarebytes.com/threat-analysis/2018/04/fakeupdates-campaign-leverages-multiple-website-platforms/


Coinsecure Loses 438 BTC in Insider Attack

http://archive.is/Riwv6


Pastebin XSS Vulnerability

https://github.com/Nhoya/PastebinMarkdownXSS


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create