OnDemand SME Support = Get Your Questions Answered! Get an iPad mini, Surface Go 2, of $300 Off Now

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #48

June 19, 2018


SANS NewsBites               June 19, 2018                Vol. 20, Num. 048




NIST Rules for Contractor Data Handling


Marine Corps May Encourage Older Marines to Re-Enlist to Build Cyber Force


OPM Wants to Know About Agency Cybersecurity Workforce Needs



macOS Quick Look Leaks Data


Google to Fix Location Data Leak in Google Home and Chromecast


Vulnerabilities in Axis Cameras


Typeframe Trojan


Responses to House Committee RFI on Legacy Medical Device Cybersecurity


Company Reportedly Working on Pentagon AI Project May Have Been Hacked


***************************  Sponsored By Risk Lens ************************************

Become one of the world's leading thinkers on cyber risk. Embrace the cyber risk quantification revolution - where risk is evaluated, managed and assessed based on the financial impact to the business. Join the 3,000 member strong FAIR Institute. You'll drive a connection between security and the business once thought impossible.  http://www.sans.org/info/204940


-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018

-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018

-- SANS London July 2018 | July 2-7 | https://www.sans.org/event/london-july-2018

-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018

-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018

-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018

-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018

-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018

-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a new iPad, Samsung Galaxy Tab A, or take $250 Off with Any OnDemand or vLive Course, Offer Ends June 27.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






NIST Rules for Contractor Data Handling

(June 15, 2018)

The National Institute of Standards and Technology (NIST) has released SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, which will allow companies seeking federal government contract work to determine if they are in compliance with requirements for handling data.


[Editor Comments]

[Pescatore] NIST provides a mapping of 800-171 to the NIST Cybersecurity Framework and EDUCAUSE has published a nice template (created by the Common Solutions Group) that includes mapping 800-171 to ISO 27002 and an older version of the Critical Security Controls:


[Murray] IT and "cyber security" have always been poor at articulating measurable service level agreements (SLA). We have often operated under an implicit SLA of "best efforts." Our expectations of other parties will not be met until we learn to express them in such a way that both parties can know that they are met. In our space, this includes expressions of risk tolerance. Look to ITIL for both expectations and their expression.

[Northcutt] The document could be more beneficial with some guidance on how an organization knows, or should know, which information needs protecting. In the absence of guidance, the default tends to be either all or none. Also, this document is clear that organizations have a lot of freedom to choose which measures they implement. With those two issues taken together, I am not sure it will be terribly useful.

Read more in:

Fifth Domain: New rules tell contractors how to handle controlled data


NVLPubs: Assessing Security Requirements for Controlled Unclassified Information



Marine Corps May Encourage Older Marines to Re-Enlist to Build Cyber Force

(June 10, 2018)

The US Marine Corps is considering offering perks to encourage older Marines with more experience to re-enlist to help bolster the military branch's cyber security operations. Earlier this year, the Marine Corps announced the addition of a new cyberspace occupational field that includes jobs focusing on cyber weapons, development, and both defensive and offensive operations.  

[Editor Comments]

[Murray] The lesson for the rest of us is that we can solve some of our workforce problem by recruiting, hiring, training, and educating veterans to work in this space. Not only do they bring discipline but they bring a special appreciation of threat and risk. More than "A Few Good Men."

[Paller] The most successful veteran's cybersecurity transition program is VetSuccess, which boasts a 90% placement rate at great salaries:

https://hireourheroes.org/sans-vet-success-academy-cyber-security-training-dc/: SANS Institute Vet Success Academy: Cyber Security Training for Veterans

Read more in:

Marine Corps Times: Marine Corps weighs wooing older members for new cyber force


Marine Corps Times: Corps unveils new cyber job field (March 1, 2018)



OPM Wants to Know About Agency Cybersecurity Workforce Needs

(June 14, 2018)

The Office of Personnel Management (OPM) is requiring agencies to report which cybersecurity positions they need to fill to "report their cybersecurity work roles of critical need" necessary to protect their systems and carry out their missions. OPM is requiring that the agencies submit an initial report by August 31, 2018 detailing the roles that need to be filled and the factors that are preventing them from being filled. A comprehensive report, which "must include the completion of action plans with metrics and targets to address and mitigate root causes identified for the cybersecurity work roles of critical need," will be due on April 30, 2019.    

[Editor Comments]

[Murray] I think that this is one more example of "admiring the problem."

Read more in:

FCW: OPM pushes agencies to report cyber workforce gaps


CHCOC: Preliminary Report on Agency Cybersecurity Work Roles of Critical Need due August 31, 2018


**************************  SPONSORED LINKS  ********************************

1) Barkly Webcast: "Small Businesses, Big Threats: Protecting your Small and Medium Business Against Malware, Ransomware, Exploits and More" Register:  http://www.sans.org/info/204925

2) Don't Miss "Sharpen Your Threat Hunting Capabilities with YARA"  Register:  http://www.sans.org/info/204930

3) How is your incident response team coping with protecting their organization? Take the  Survey and enter to win a $400 Amazon Gift Card.  http://www.sans.org/info/204935




macOS Quick Look Leaks Data

(June 18, 2018)

A flaw in the macOS "Quick Look" feature can leak sensitive data. Quick Look automatically generates caches of user files which are accessible even when the drive the files are on is encrypted. The information can be viewed only by someone who has physical access to the computer. The cached information persists even after the file is deleted or the USB device has been removed from the computer.  

[Editor Comments]

[Ullrich] Mixing encrypted and non-encrypted disks is never a good idea. A number of cache files and logs are typically kept in the user's home directory or specific locations on the systems boot or root disks (e.g. /var on many Unix systems). An operating system often doesn't "know" that data originates from an encrypted partition. Quick fix: Encrypt all disks.

Read more in:

Ars Technica: Reminder: macOS still leaks secrets stored on encrypted drives


ZDNet: A bug in macOS' "Quick Look" feature leaks encrypted data, researchers find


Bleeping Computer: macOS Breaks Your OpSec by Caching Data From Encrypted Hard Drives




Google to Fix Location Data Leak in Google Home and Chromecast

(June 18, 2018)

Google plans to fix a privacy issue that affects its Google Home and Chromecast devices. An authentication vulnerability allows attackers to obtain location data for the devices by tricking users into opening a link while connected to the same Wi-Fi network as a vulnerable device. Google is scheduled to release the fix next month.

Read more in:

KrebsOnSecurity: Google to Fix Location Data Leak in Google Home, Chromecast


Tripwire: Google's Newest Feature: Find My Home




Vulnerabilities in Axis Cameras

(June 18, 2018)

Security flaws in Axis Internet-connected video cameras could be exploited to gain remote control of vulnerable devices and use them to spy on users, take control of the camera, or make it part of a botnet. In all, seven flaws were identified. Axis has updated firmware for the affected devices.  


[Editor Comments]

[Ullrich] The authentication bypass vulnerability will likely be exploited soon. Patch. Or better: Do not expose ANY cameras to the Internet.


[Murray] While more cameras than baby monitors are attached directly to the Internet, few are able to resist malicious traffic from that network. Few are directly managed or maintained. Updated firmware late is not an effective or efficient remedy for poor early design and implementation.

Read more in:

Threatpost: Axis Cameras Riddled With Vulnerabilities Enabling "Full Control"


Bleeping Computer: Vendor Patches Seven Vulnerabilities Across 392 Camera Models


ZDNet: Vulnerabilities in these IoT cameras could give attackers full control, warn researchers




Typeframe Trojan

(June 14, 15, & 18, 2018)

The US Department of Homeland Security's (DHS's) US-CERT has issued a malware analysis report regarding a Trojan horse program known as Typeframe, which is believed to have been developed by a North Korean hacking group.  

[Editor Comments]

[Williams] Unlike many malware samples that execute an svchost.exe using process hollowing, this malware creates a new service that runs in an existing svchost.exe service group. However, this highlights the importance of software inventories in discovering malware. Interestingly, most of the malware was compiled using Visual C++ 6.0, which was released in 1998. Little software today is being actively developed using this platform, but malware authors like it because all modern versions of Windows already has the runtime for this version installed. Newer versions of the compilers may require a separate C++ runtime to be installed before executing. The exception to this are the x64 modules, which were compiled with Visual C++ 8.0, probably because 6.0 doesn't support x64 modules.

Read more in:

US-CERT: Malware Analysis Report (AR18-165A): MAR-10135536-12 - North Korean Trojan: TYPEFRAME


ZDNet: Windows warning: US exposes North Korea government's Typeframe malware


The Register: US-CERT warns of more North Korean malware


SC Magazine: FBI, DHS report details new North Korean trojan




Responses to House Committee RFI on Legacy Medical Device Cybersecurity

(June 14, 2018)

Earlier this year, the US House Energy and Commerce Committee published a request for information on how best to improve cybersecurity for legacy medical devices. The deadline for comments was May 31. The committee has not yet released the responses publicly, but some of the responding organizations have released their comments themselves. Some have suggested that device manufacturers need to provide more information, such as "documentation of vulnerabilities within their products...includ[ing] documentation on vulnerabilities that have not been publicly disclosed," and incorporating security tools like logs and whitelisting as part of the device. Manufacturers have noted that "medical devices cannot support updates beyond the useful life of the underlying technology."

Read more in:

GovInfoSecurity: Strong Opinions Voiced on Medical Device Security Challenges


Energy Commerce: Supported Lifetimes Request for Information (PDF)




Company Reportedly Working on Pentagon AI Project May Have Been Hacked

(June 12, 2018)

Computers used by a group at artificial intelligence (AI) start-up Clarifai may have been infiltrated by Russian hackers. The group was reportedly working on a top-secret AI project for the US military. A lawsuit filed by a former Clarifai employee alleges that the computers used by the group working on the project were compromised by at least one person in Russia. It also alleges that Clarifai learned of the breach in November 2017 but did not immediately notify the Pentagon. The former employee says she lost her position at the company because of her insistence that the incident be disclosed.  

Read more in:

Wired: Startup Working on Contentious Pentagon AI Project was Hacked




SMTP Strangeness - Possible C2


Encrypted Office Documents


Recent Port 8000 Scans


New Clipboard Cryptocoin Stealing Bot


WebUSB Weakness


Axis Camera Vulnerabilities


Apple Caches Confidential Data on Unencrypted Drives


Andy Emulator Infected With CryptoMiner



Obfuscated JavaScript Targeting Mobile Devices




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create