OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #3

January 12, 2018


SANS NewsBites               January 12, 2018                Vol. 20, Num. 003



CPU Patches

Report: CISOs Say Lack of Competent Staff is Top Cybersecurity Concern

Vulnerabilities Found in SCADA Android Mobile Apps

Another macOS Flaw


Mobile Spyware Targets North Korean Defectors

Alleged Fruitfly Creator Indicted

FBI Assails Encryption (Again)

DHS is Providing Election Systems Security Help for States

Proposed Legislation Would Tighten Security Requirements, Increase Breach Penalties on Credit Bureaus

Security Contest Prize: Virus-Infected USB Stick

Microsoft Patch Tuesday: January 2018



****************** Sponsored By NETSCOUT Systems, Inc. ***********************

We need to rethink our security architecture. If we had a clean slate and ample budget, how would we develop the ideal network security architecture? "In a Perfect World...Building the Network Security Architecture for the Future" with John Pescatore, will examine key elements of the network of the future, how those can be implemented and what to keep--or toss--in the process. Register: http://www.sans.org/info/201140



-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018

-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018

-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018

-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018

-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018

-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad, ASUS Chromebook or $350 Off with your vLive Course when you register by January 24. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




CPU Patches

(January 9, 10, & 11, 2018)

Some vendor patches for the Spectre and Meltdown CPU vulnerabilities have been causing problems for users. Microsoft said that systems running incompatible anti-virus products would not receive any further updates; anti-virus vendors must confirm compatibility by setting a registry key. Linux has released microcode to address the CPU problems for certain processors. Canonical had to release a new patch after Ubuntu Xenial 16.04 users reported that the first fix rendered their systems unable to boot. Google says it applied patches for the flaws last year and that they have not slowed down its cloud services.  

[Editor Comments]

[Neely] The patches are complicated and some require steps beyond just clicking install to complete the mitigation. They are also changing rapidly as issues surface and are resolved. Test not only for stability after application but also for performance impact.

[Pescatore] There are patches and then there are PATCHES. It is pretty clear that software/firmware PATCHES for Spectre/Meltdown are complex and will, at a minimum, have performance impact. They will require significantly more QA testing than routine monthly Microsoft vulnerability Tuesday patches, probably even more than quarterly Oracle CPU PATCHES. Spinning up production environments (with obfuscated data) on IaaS services has enabled many organizations to increase depth of patch/PATCH testing while minimizing increases in time to patch. But, shielding, mitigation and monitoring will be needed in the interim.

Read more in:

ZDNet: Microsoft: No more Windows patches at all if your AV clashes with our Meltdown fix


Computerworld: Microsoft reinstates Meltdown/Spectre patches for some AMD processorsbut which ones?


Computerworld: Microsoft sets novel antivirus prerequisite before offering Windows emergency updates


ZDNet: Major Linux distros have Meltdown patches, but that's only part of the fix


Bleeping Computer: Intel Releases Linux CPU Microcodes for Processors Going Back Two Decades


Bleeping Computer: Meltdown & Spectre Patches Causing Boot Issues for Ubuntu 16.04 Computers


V3: Meltdown and Spectre patches re-issued by Canonical following Ubuntu 16.04 boot problems


Reuters: Google says its security patches not slowing down systems




Report: CISOs Say Lack of Competent Staff is Top Cybersecurity Concern

(January 10, 2018)

According to a Ponemon Institute survey, 612 Chief Information Security Officers (CISOs) and IT security professionals said that their top cyber security concern for 2018 is the lack of competent in-house staff. Other concerns in the top five are data breaches, cyber attacks, inability to reduce employee negligence, and ransomware.

[Editor Comments]

[Honan] Facing a shortage of experienced security professionals, the best way to tackle this issue is to provide effective training and support to existing staff to better enable them. Also, we need to look outside our traditional tech fields to recruit people with the aptitude for security, the technical skills can always be taught to a willing learner

[Northcutt] These CISOs would be wise to consider GIAC and other cybersecurity skills, or job based, certifications when hiring. One more person that can fill in a form, or double check a form will not help.



Read more in:

Dark Reading: https://www.darkreading.com/vulnerabilities---threats/cisos-no-1-concern-in-2018-the-talent-gap/d/d-id/1330800




Vulnerabilities Found in SCADA Android Mobile Apps

(January 11, 2018)

According to a report from security companies IOActive and Embedi, there are security concerns about Android mobile apps for Supervisory and Control and Data Acquisition (SCADA) systems. Cyber security professionals at the firms found nearly 150 security issues in 34 Android mobile SCADA apps. The flaws could be exploited to disrupt or sabotage operations. A similar study in 2015 found 50 vulnerabilities in 20 mobile apps.

[Editor Comments]

[Neely] The air-gap is dead, long live the air-gap. Mobile App Security remains a recurring issue. The report is these apps are not implementing security measures to guarantee the communications to ICS systems are secure and the control sequences cannot be coopted. With sufficient maturity, the application developers can implement services such as a bug bounty program to help identify and resolve issues.

[Honan] A common misconception to many is that ICS/SCADA systems are secured because they are air gapped.  This is a stark demonstration that this myth has well and truly been busted.

Read more in:

The Register: Everything running smoothly at the plant? *Whips out mobile phone* Wait. Nooo...


Dark Reading: Vulnerable Mobile Apps: The Next ICS/SCADA Cyber Threat


eWeek: 147 Security Vulnerabilities Found in ICS Mobile Applications




Another macOS Flaw

(January 11, 2018)

A flaw in macOS could be exploited to allow anyone with local admin privileges to unlock the Apple App Store System preferences with any username and password combination. The issue appears to affect only macOS "10.13.2 and possibly the earlier betas of 10.13.3."

[Editor Comments]

[Neely] Apple has had a rough time of late with privilege and security escalation flaws.  For those targeting 10.13 as the path to mitigation of Meltdown and Spectre issues, this flaw has only been found in 10.13.2, and is has been reported as fixed in the 10.13.3 update which is due shortly.

Read more in:

Bleeping Computer: macOS Bug Lets Local Admin Unlock App Store System Prefs With Any Password


V3: Another password flaw has been discovered in Apple's MacOS


**************************  SPONSORED LINKS  ********************************

1) It's time to make sure that DNS is part of your security posture. Register to Learn more: http://www.sans.org/info/201145

2) Don't Miss: "Are You in Control? Managing the CIS Critical Security Controls within your Enterprise" http://www.sans.org/info/201150

3) "Why Insider Actions Matter: SANS Review of LogRhythm CloudAI for User and Entity Behavior Analytics" with Dave Shackleford. Register: http://www.sans.org/info/201155





Mobile Spyware Targets North Korean Defectors

(January 11, 2018)

McAfee researchers have detected a Trojan that targets North Korean defectors and the people helping them. The malware uses social media and chat apps to target people in South Korea with the goal of placing spyware on their devices.

Read more in:

ZDNet: Android trojan targets North Korean defectors and their supporters


Cyberscoop: New hacking campaign targets North Korean defectors in South Korea




Alleged Fruitfly Creator Indicted

(January 10 & 11, 2018)

An Ohio man has been indicted on 16 charges related to his alleged creation and use malware known as Fruitfly to spy on people for more than 13 years. Phillip Durachinsky allegedly used Fruitfly to surreptitiously turn on computers' microphones and cameras, to log keystrokes, and to steal data. Fruitfly was first detected just last year.

Read more in:

The Register: Ohio coder accused of infecting Macs, PCs with webcam, browser spyware for 13 years


Ars Technica: Prosecutors say Mac spyware stole millions of user images over 13 years


Cyberscoop: Feds charge 'Fruitfly' creator with hacking thousands of computers


Regmedia: Durachinsky Indictment



 --FBI Assails Encryption (Again)

(January 10, 2018)

FBI director Christopher Wray told an audience at the International Conference on Cyber Security earlier this week that unbreakable encryption is "an urgent public safety issue," noting that his agency was unable to access nearly 7,800 devices in the 12-month period ending on September 30, 2017.

[Editor Comments]

[Honan] - I agree with FBI director Wray unbreakable encryption is "an urgent public safety issue" and we need to keep encryption unbreakable to keep the public safe

[Pescatore] When Director Wray said this in October 2017, we replied: [Pescatore, Murray, Honan and Neely] We would reword that headline "Encryption Prevented Thieves from Exploiting Data on More Than Three Million Stolen Cellphones and the FBI From Investigating Fewer Than Seven Thousand"

[Williams] The FBI's arguments on "responsible encryption" are disingenuous. They say they need backdoors in encryption to keep us safe from terrorists and organized crime.  But encryption backdoors won't be used to access phones used by terrorists and organized crime as the FBI insinuates. Those groups will move to other technologies without known backdoors quickly, leaving the only people impacted by backdoors regular users.

[Neely] As we've said before, this is encryption done right. Backdoors will corrode the integrity of the companies adding them to devices, nor will they remain in the custody of only law enforcement. Keeping the data on mobile devices secure, given the broad range sensitive activities they are involved with, is more critical to keeping our end users safe than having a mechanism for law enforcement to decrypt that data.

[Murray] The mobile phone is a source of evidence that did not exist a decade ago.  Instead of just saying "Thank you," the FBI complains that it is not even better than it is. The mobile is used for our most intimate communications deserving a high level of protection. That said, this is a matter of cost, not capability.  If one has a cryptogram, the method, and the key, all of which are in the device, then recovering the clear text is merely expensive or difficult, not impossible. The FBI has already demonstrated this in the San Bernadino case. It makes no sense to weaken the security of millions of users to address these edge cases. While the number may look big to the FBI, it is not significant in the larger scheme of things.  

Read more in:

Softpedia: FBI Says It Wants To (But Can't) Hack 8,000 Devices


Threatpost: FBI Director Calls Smartphone Encryption an 'Urgent Public Safety Issue'




DHS is Providing Election Systems Security Help for States

(January 10, 2018)

The US Department of Homeland Security (DHS) says that it has already completed cyber security assessments of election systems in three US states, and expects to have another 11 requested assessments completed by the middle of April. News reports in December said that states were reporting a nine-month wait for DHS assessments.   

[Editor Comments]

[Murray] These assessments require a high level of knowledge, skill, ability, and experience.  These are scarce.  However, DHS is not the only source.

Read more in:

The Hill: Homeland Security speeds up election security aid to states


Nextgov: DHS: We Can Vet Election Cyber Systems in All 50 States




Proposed Legislation Would Tighten Security Requirements, Increase Breach Penalties on Credit Bureaus

(January 10, 2018)

Legislation proposed in the US Senate would impose penalties, including hefty fines, on credit bureaus that experience data breaches. The Data Breach Prevention and Compensation Act of 2018 would apply to companies that make more than $7 million USD a year from the sale of consumer data. The bill would require the companies to adopt measures to protect consumer data, and calls for establishing a cyber security office at the Federal Trade Commission (FTC) that would be responsible for supervising and inspecting data protection and credit reporting companies.

[Editor Comments]

[Pescatore] I have a reflexive negative response to reflexive proposals for legislation that invariably come out after headline-grabbing breaches. This one would try to put the FTC into a monitoring/assessment/standards role in cybersecurity, vs. FTC's existing (and effective) role in investigating violations and fining violators. Not a good idea, I'm sure this one will fade away.

[Murray] Data breaches at the credit bureaus have been particularly egregious.  Remedies must go to the fundamental issue of the rights of the individual to control, or at least influence, information about themselves.  This legislation does not address this.   Effective legislation would give the individual free access to his credit record, its sources, and its use.

Read more in:

FCW: Senate bill would give FTC new data breach authority


The Register: Leaky credit report biz face massive fines if US senators get their way


Nextgov: If Another Equifax Breach Happens, Lawmakers Want to See Billions in Fines




Security Contest Prize: Virus-Infected USB Stick

(January 10, 2018)

USB drives given as prizes in a security quiz offered by by Taiwan's Criminal Investigation Bureau were found to be infected with malware. The devices appear to have been infected with an old virus that tries to steal data from 32-bit machines.  

Read more in:

The Register: Taiwanese cops give malware-laden USB sticks as prizes for security quiz


BBC: Taiwanese police give cyber-security quiz winners infected devices




Microsoft Patch Tuesday: January 2018

(January 9, 2018)

On Tuesday, January 9, Microsoft released updates to address more than 50 security issues in a variety of products. Sixteen of the flaws are rated critical. Microsoft released out-of-band updates on January 3 to address the Meltdown and Spectre flaws. On the same day, Adobe released a single fix for Flash Player.

Read more in:

Microsoft Technet: Security Update Summary


ZDNet: Windows patches: Microsoft kills off Word's under-attack Equation Editor, fixes 56 bugs


KrebsOnSecurity: Microsoft's Jan. 2018 Patch Tuesday Lowdown


Threatpost: Microsoft January Patch Tuesday Update Fixes 16 Critical Bugs


Bleeping Computer: Microsoft January Patch Tuesday Fixes 56 Security Issues, Including a Zero-Day


SC Magazine: Patch Tuesday: Adobe issues lone patch for Flash Player


ZDNet: Adobe patches information leak vulnerability




A Story About PeopleSoft: How to Make $250k Without Leaving Home.


Microsoft Patch Tuesday


What is Going on With Port 3333



JSONRPC Vulnerability in Electrum Wallets


Lets Encrypt Tunrs Off TLS-SNI-01 Verification


Exploiting CVE-2018-0802 (Microsoft Equation Editor)



Mining or Nothing!


Taiwan Police Handing Out Infected USB Sticks


macOS AppStore Preferences Unlock Authentication Bypass



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create