Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #63

August 10, 2018


SANS NewsBites               August 10, 2018               Vol. 20, Num. 063



  ICS Honeypot Compromise Shows Industrial Control Systems Are Being Targeted by Criminal

Hackers, Too

  Smart City Sensor Vulnerabilities


  Researchers Find Flaws in Mobile Point-of-Sale Devices

  The Numbers Say NARA is Doing Well with Website and eMail Security, But They Dont Include Contractors

  WhatsApp Vulnerability Allows Attackers to Alter Content, Spoof Senders

  Pacemaker Vulnerabilities

  Samsung Galaxy S7 Vulnerable to Meltdown

  Vulnerabilities in Online Stock Trading Platforms

  OpenEMR Fixes Flaws

  Investigation Finds There Was No DDoS Attack on FCC Comment System


***************************  Sponsored By Sophos Inc. ************************************

Live Webcast: With 75% of malware unique to a single organization you need to detect never-seen-before threats now. Join us to discover how Intercept X leverages multiple advanced techniques, including deep learning, anti-ransomware and anti-exploit technology, to stop both known and unknown malware in its tracks. Register Today!



Training Update

-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018

-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018

-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018

-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018

-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018

-- Threat Hunting & Incident Response Summit 2018 | New Orleans, LA | September 6-13 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018

-- SANS Baltimore Fall 2018 | September 8-15 | https://www.sans.org/event/baltimore-fall-2018

-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018

-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a GIAC Certification Attempt Included or Take $350 Off with OnDemand or vLive, Offer Ends August 22.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap





 --ICS Honeypot Compromise Shows Industrial Control Systems Are Being Targeted by Criminal Hackers, Too

(August 7 & 8, 2018)

A honeypot system set up to appear to be an industrial control system (ICS) was compromised within days of going live. The attacker did not appear to be working on behalf of a nation-state. The initial attacker established backdoors on the system and posted the phony ICS access for sale online.

[Editor Comments]

[Neely] The honeypot workedit attracted hackers who not only obtained access but also sold tools that are accessed on the dark web. Bad actors are building their resume of skills, for sale to the high bidder, for better standing in future cyber battlegrounds. That high-bidder can no longer be assumed to be a nation state.

Read more in:

SC Magazine: Cybercriminals waste no time breaking into experimental honeypot designed to look like ICS environment


ZDNet: Hackers found and cracked this fake electricity substation network in just two days


Cyberscoop: Hacker honeypot shows even amateurs are going after ICS systems


Fifth Domain: Hackers targeted a fake power grid. Is the real one next?


Cybereason: ICS Threat Broadens: Nation-State Hackers Are No Longer the Only Game in Town



--Smart City Sensor Vulnerabilities

(August 9, 2018)

IBM Security and Threatcare examined smart city sensor hubs made by three companies and found 17 unpatched vulnerabilities. The flaws could potentially be exploited to manipulate traffic signals and activate flood warnings. The researchers notified the companies of the problems, and all say they have made patches available. It is not known if cities that use the affected sensors have applied the patches.   

Read more in:

Wired: The Sensors That Power Smart Cities are a Hacker's Dream


ZDNet: Smart city systems are riddled with critical security vulnerabilities


CNET: Smart cities around the world were exposed to simple hacks


**************************  SPONSORED LINKS  ********************************

1) "Break Silos and respond to threats faster; Eliminating network and security silos to speed attack response" Register: http://www.sans.org/info/206070

2) Come hear from Tom Patterson, Unisys Chief Trust Officer, who represents one of the cyber moonshot subcommittees co-chairs give you an insiders look at the security science that will impact our future. Visit Unisys at Booth #1420 at Black Hat!  http://www.sans.org/info/206075

3) Don't Miss "Automating Open Source Security: A SANS Review of WhiteSource" Learn More: http://www.sans.org/info/206080



 --Researchers Find Flaws in Mobile Point-of-Sale Devices

(August 9 & 10, 2018)

Researchers from Positive Technologies have found security flaws in mobile payment card readers. The researchers examined seven devices from four manufacturers. The flaws could be exploited to charge customers more money than they believe they are spending and to falsely display a message that the transaction failed, causing customers to pay multiple times, and otherwise diminish the devices security. The device manufacturers are developing fixes for the issues.

[Editor Comments]

[Murray] It is August in Las Vegas. It is all about existential vulnerabilities in obscure places, most of which will never be exploited at scale. As you wander on through life my boy, whatever be your goal, keep your eye upon the donut (risk) and not upon the hole (vulnerability). One should not trust or rely upon any point of sale device, mobile or stationary. Rather rely upon the out of band message (often optional) from the credit card issuer that alerts one to every transaction.

[Neely] While mobile payment readers have lowered the barrier to entry for small business, particularly those that are themselves mobile, at that scale they are heavily dependent on the reader/service provider for security. And while fixes are being released, dont expect those with the readers to be readily able to download and install them. It still remains important to sign up for fraudulent activity alerts with your card issuers and be ready to work with them to resolve unexpected charges where the merchant is unable or unwilling to provide remediation.

Read more in:

Wired: Bugs in Mobile Credit Card Readers Could Expose Buyers


The Register: You can't always trust those mobile payment gadgets as far as you can throw thembugs found by infosec duo


CNET: Security flaws in mobile point-of-sale systems spell money trouble



--The Numbers Say NARA is Doing Well with Website and eMail Security, But They Dont Include Contractors

(August 9, 2018)

An audit conducted by the National Archives Office of Inspector General found that the National Archives and Record Administration (NARA) is making significant progress regarding requirements established in DHS Binding Operational Directive (BOD) 18-01, which aims to improve email and website security for federal agencies. Figures from NARA indicate that the agency is 94 percent compliant with the website portion of the BOD, and 73 percent compliant with the email portion. The audit report points out that those figures take into account only those systems that belong to NARA; they do not include the status of systems that belong to third-party contractors responsible for websites and email. The audit found that NARA is not providing adequate oversight of those third-party contractors, which is also a requirement of the BOD.

[Editor Comments]

[Neely] Flowing security requirements to third-party providers is both critical and challenging as the third-party is not as tightly bound to the regulator as the agency. When coupled with the directive for cloud-first, it becomes even more challenging. It is hoped that the recent expansion of the scope of CDM to include cloud services will help with visibility to these distributed risks so they can be addressed, and with upward visibility the third-party service providers will be more inclined to comply.

[Murray] One is reminded of programmer progress reports that keep approaching completeness but never quite reaching it. Some things must be complete to be effective.  

Read more in:

FCW: NARA is doing great at email, website security. Maybe


Oversight: NARAs Compliance with Binding Operational Directive 18-01



--WhatsApp Vulnerability Allows Attackers to Alter Content, Spoof Senders

(August 9, 2018)

A weakness in the WhatsApp messaging app could be exploited to alter the content of messages without raising suspicions. Researchers from Check Point Software technologies found that attackers could alter messages content and sender identity. They could also send private messages that spoofed to appear as public messages to members of a group. The problem lies in WhatsApps validation of key message parameters.

Read more in:

SC Magazine: Hackers could spoof WhatsApp messages, sender names


Dark Reading: Weakness in WhatsApp Enables Large-Scale Social Engineering



--Pacemaker Vulnerabilities

(August 9, 2018)

Security flaws in Medtronic pacemakers could be exploited to take remote control of the devices and manipulate treatment. One of the problems is that the devices do not use encryption to protect firmware updates, which means that hackers could remotely install malware on the pacemakers. Researchers Billy Rios and Jonathan Butts notified Medtronic about the issues in January 2017. Medtronic has addressed some but not all of the problems. Rios and Butts demonstrated their findings at the Black Hat conference.

[Editor Comments]

[Neely] These attacks only work when a default setting is changed on specific models to allow remote access. Also, you need to be in close proximity to execute the attack making this a low risk threat.

[Murray] The temperature in Las Vegas today will reach 107F.  

Read more in:

Wired: A New Pacemaker Hack Puts Malware Directly On the Device


Ars Technica: Hack causes pacemakers to deliver life-threatening shocks



--Samsung Galaxy S7 Vulnerable to Meltdown

(August 8, 2018)

Samsung Galaxy S7 phones have recently been found to be vulnerable to the Meltdown vulnerability. Previously, the issue was thought not to have affected Samsung smartphones. Samsung has released updates in January and July of this year to address the problem.

Read more in:

Reuters: Samsung Galaxy S7 smartphones vulnerable to hacking: researchers



--Vulnerabilities in Online Stock Trading Platforms

(August 7 & 8, 2018)

Nearly every one of the 40 stock trading platforms examined by security consultant Alejandro Hernandez was found to contain a security flaw. More than half of the 16 desktop apps transmitted some data unencrypted. Some of the mobile apps and desktop apps store unencrypted passwords locally or send them to logs in plaintext. Hernandez also found that some platforms allow users to create their own bots that are often shared in forums; while touted as a feature, it also provides a vector of attack.

Read more in:

Wired: Online Stock Trading Has Serious Security Holes


IOActive: Are You Trading Stocks Securely? Exposing Security Flaws in Trading TechnologiesBlog Post


IOActive: Are You Trading Stocks Securely? Exposing Security Flaws in Trading TechnologiesWhite Paper



--OpenEMR Fixes Flaws

(August 7 & 8, 2018)

On July 20, 2018, OpenEMR released an update for its medical practice management software to address more than 20 vulnerabilities. The team that found the flaws and notified Open EMR earlier this year disclosed them on August 7.

[Editor Comments]

[Northcutt] Project insecurity is a revenue-based opportunity. I am sure they do wonderful work, but this is more like a press release than news.

[Paller] We included the story because OpenEMR had so many critical vulnerabilities that when the SANS CyberCity team used it in the real world hospital security simulator, they had to harden it to make it at least a little challenging to the trainees.

Read more in:

SC Magazine: Health care software OpenEMR patched after discovery of bugs threatening patient records


BBC: Health records 'put at risk by security bugs'


Project Insecurity: OpenEMR v5.0.1.3 - Vulnerability Report



--Investigation Finds There Was No DDoS Attack on FCC Comment System

(August 7 & 8, 2018)

An internal investigation has found that the US Federal Communications Commissions (FCCs) assertion that its comment system suffered a distributed denial-of-service (DDoS) attack during the comment period regarding net neutrality was false. In a letter responding to a letter from legislators seeking answers to questions about the incident, the FCC lied several times, according to the investigation, which said the comment system outages were likely due to system design issues and flash crowd activity. 

Read more in:

Ars Technica: FCC lied to Congress about made-up DDoS attack, investigation found


Ars Technica: Ajit Pai admits FCC lied about DDoS, blames it on Obama administration


Nextgov: FCC IG Says the Alleged Net Neutrality DDoS Attack Never Happened





Linux TCP DoS Vulnerability


Android Updates


Homebrew Exposed Github Credentials


WhatsApp Vulnerability


Osiris Dropper Uses Process Doppleganging


Netflix Releases Tool To Detected Cloud Credential Compromise


Vulnerabilities in Pacemaker Programmer and Insulin Pumps


"Panic Attacks" Against City Infrastructure


Kaspersky VPN Leaks DNS Traffic


Let's Encrypt Now Trusted By All Major Root CA Programs



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create