Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #64

August 14, 2018

SANS NewsBites               August 14, 2018               Vol. 20, Num. 064



  FBI ATM Cashout Warning

  NIST Working on Final Public Draft of Risk Management Framework 2.0

  Hack the Marine Corps Bug Bounty Program


  UK National Crime Agency Prevent Campaign Seeks to Refocus Teens Who Venture into Cybercrime

  California Cybersecurity Integration Center Aims to Include City and County Governments

  Fax Machine Vulnerabilities Can Be Exploited to Access Networks

  Android Firmware Flaws

  Applying Linkage Analysis to Cyber Crime Attribution

  Hackers Exploiting D-Link Router Vulnerability to Change DNS Settings

  TLS 1.3 Standard is Official


***************************  Sponsored By SANS  *****************************

Join SANS at the Threat Hunting & Incident Response Summit on Sep. 6-7 in New Orleans! Learn from top threat hunters and security practitioners as they share the latest methods and techniques used to hunt adversaries.  http://www.sans.org/info/206130


-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018

-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018

-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018

-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018

-- Threat Hunting & Incident Response Summit 2018 | New Orleans, LA | September 6-13 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018

-- SANS Baltimore Fall 2018 | September 8-15 | https://www.sans.org/event/baltimore-fall-2018

-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018

-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018

-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a GIAC Certification Attempt Included or Take $350 Off with OnDemand or vLive, Offer Ends August 22.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






--FBI ATM Cashout Warning

(August 12, 2018)

A confidential FBI alert sent to banks last week warns that criminals are planning an ATM cashout, an attack in which there is a coordinated effort to empty ATMs of all the cash they contain using cloned cards. The scheme involves compromising the system at a bank or payment card processor and using information obtained there to program clones of legitimate cards. The FBIs alert recommends that banks implement strong security measures, such as two-factor authentication using a physical or digital token, dual authentication procedures for withdrawals that exceed a certain threshold, and application whitelisting. 

[Editor Comments]

[Murray] In the early days of ATMs we limited cash withdrawals to $200 per account per day. Over the decades banks have relaxed this limit. While banks would be reluctant to reinstitute it, it would be one way of addressing this risk. Note that the application of two-factor (card and PIN) authentication began with ATMs. It was very effective until the cost of cloning cards dropped. When the issuers stop using mag-stripe and use chips, the cost of cloning will go back up and the risk will go down.

[Neely] This is a two-step exploit. First, controls are disabled at the financial institution, such as maximum withdrawal amount or maximum number of ATM transactions, then cloned cards are used to drain accounts. Implementing multi-factor authentication, whitelisting, active monitoring, separation of duties, and dual-person controls are key to protecting the back-end systems from exploitation. While the elimination of the mag-stripe on ATM cards makes the cloning activity very difficult, removing the mag-stripe will take a while. The US deadline for automated fuel pumps to convert to EMV is pushed to October 2020, even when all merchants are no longer using mag-stripe readers, card holders will still need to be issued cards without the enabled capability.

Read more in:

KrebsOnSecurity: FBI Warns of Unlimited ATM Cashout Blitz



--NIST Working on Final Public Draft of Risk Management Framework 2.0

(August 9, 2018)

The National Institute of Standards and Technology (NIST) is hard at work on the next version of its Risk Management Framework 2.0 (RMF 2.0). The final public draft of RMF 2.0 is expected to be available in September 2018, with final publication expected in November. RMF 2.0 will address supply chains, systems engineering, and privacy.

[Editor Comments]

[Pescatore] Rev. 2 draft of the NIST RMF weighed in at a hefty 149 pages, up from 102 pages from Rev 1 in 2010. Post incident data almost invariably points out IT and security operational failures as the enabling factor, not lack of heft in risk management documents and policies. The good news is NIST has produced some RMF quick start guides. The bad news is the Implement phase has no quick start guide, which is kind of a symptom of the overall problem.

Read more in:

FCW: NIST pushes on next version of Risk Management Framework


NIST: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy - Revision 2, May 2018



--Hack the Marine Corps Bug Bounty Program

(August 13, 2018)

The US Department of Defense (DoD) has launched another bug bounty program, this time focused on the public-facing websites and services of the Marine Corps. The first DoD bug bounty program, Hack the Pentagon, took place in May 2016. Hack the Marine Corps launched with a live event in Las Vegas, NV, on August 12; it runs through August 26.

[Editor Comments]

[Pescatore] This was more of a hack-a-thon than a long-running, managed bug bounty program. The good thing the USMC did was have their red and blue teams observe, interact with the contestants, and choose the winning bountiesa good learning experience that should enable the USMC to focus on avoiding such software vulnerabilities in the future vs. waiting (and paying) to find them in operational systems.

Read more in:

Fifth Domain: Pentagon invites researchers to hack the Marine Corps


Dark Reading: 'Hack the Marine Corps' Bug Bounty Event Held in Vegas


**************************  SPONSORED LINKS  ********************************

1) Learn about the key steps required to keep sensitive healthcare data safe and avoid disastrous data breaches. Register:   http://www.sans.org/info/206135

2) Learn best practices and real-life examples for building and maintaining an effective insider threat program. Register:  http://www.sans.org/info/206140

3) "How Network Traffic Analytics Eliminates Darkspace for the SOC" with Chris Crowley.  Register:  http://www.sans.org/info/206145




--UK National Crime Agency Prevent Campaign Seeks to Refocus Teens Who Venture into Cybercrime

(August 13, 2018)

The UKs National Crime Agency (NCA) is seeking technology companies to help technically inclined youth direct their talents and energies to good. NCA, along with the Cyber Security Challenge, has created cybercrime intervention workshops for young people who have ventured into cybercrime. They hope that the program will eventually be considered as an option for police to send offenders.

[Editor Comments]

[Neely] In an attempt to redirect talented youth from fracturing laws to directing their abilities for good, the NCA has created a web site with resources, videos and advice for parents and teachers to help guide young people. These interventions are showing positive results with the students stepping up to help fill the shortfall in cyber security professionals. Businesses with Cyber internships/mentoring programs have an opportunity to step in to both increase the reach and success of the program and provide a framework and guidance to reduce a return to illegal activities.


[Murray] While well intended and while the destruction of young lives is tragic, this program is likely to end badly. Both hacking and social engineering are addictive behaviors and recidivism is high.

Read more in:

The Register: UK cyber cops: Infosec pros could help us divert teens from 'dark side'


National Crime Agency: Cyber crime: Preventing young people from getting involved



--California Cybersecurity Integration Center Aims to Include City and County Governments

(August 13, 2018)

The California Cybersecurity Integration Center (Cal-CSIC) was created in August 2015 through an executive order from Governor Jerry Brown. Its initial purpose was to reduce the likelihood and severity of cyber-attacks; improve inter-agency and cross-sector information coordination; prioritize cyber threats and alert potential victim entities; and, strengthen the states cybersecurity strategy. Its movement to include the private sector has met with reluctance from eligible organizations. California hopes that all city and county governments within the state will join Cal-CSIC over the next few years.

[Editor Comments]

[Northcutt] One characteristic of similar successes is that the CSIC shares data with the city and county governments. The failures are when the lead organization says send us your data, but does not return useful, actionable, information in return.

Read more in:

Nextgov: How California Is Improving Cyber Threat Information Sharing


CalOES: California Cybersecurity Integration Center



--Fax Machine Vulnerabilities Can Be Exploited to Access Networks

(August 12 & 13, 2018)

Fax machines have been around for years, and their protocols have not changed. Researchers have found weaknesses that could be exploited to gain access to internal networks by sending a maliciously crafted fax. Fax functionality is often incorporated into all-in-one printing devices. Fax data are not cryptographically protected when sent. 

[Editor Comments]

[Murray]  Because it is almost cheaper to do than not, we are incorporating and exposing to the public networks gratuitous general purpose computing power in our appliances. This is the real risk associated with the so called Internet of things. (Note that in health care, fax is presumed to go over the dial-switched network and is preferred to the Internet as more secure. In practice, the sender of fax cannot know how it will be carried or delivered.)  

[Neely] The security of Fax machines came from the idea that it was a point-to-point transaction, unlike an email message. Fax machines have evolved from the single-use device to networked/multi-function devices where a fax may never exist in paper form and also include extra capabilities that can be exploited. Mitigate the risk by actively incorporating your multi-function devices into your vulnerability scanning/remediation and patch processes.

Read more in:

BBC: Malicious faxes leave firms 'open' to cyber-attack


Wired: Fax Machines are Still Everywhere, and Wildly Insecure


Bleeping Computer: Vulnerabilities in Fax Protocol Let Hackers Infiltrate Networks via Fax Machines



--Android Firmware Flaws

(August 12, 2018)

There are nearly 50 security flaws in the firmware and default apps found on 25 Android smartphone models. The vulnerabilities could be exploited to cause denial of service conditions, gain root access to devices, take screenshots and videos of the phones screen, send text messages, access contact lists, or wipe data from the devices.

[Editor Comments]

[Neely] The nature of the Android ecosystem means individual hardware manufacturers are tasked with implementing the port of the Android OS to their hardware platform and like any software project, code released by others to solve problems, such as the firmware over the air (FOTA) update module from Adups gets incorporated along with its included backdoor. The resulting volume of firmware and device combination makes proactive analysis and remediation difficult to impossible. The mitigation is to deploy devices from trusted OEMs that support firmware updates so patches to identified bugs can be applied and steer away from repeat offenders such as ZTE, Leagoo and Doogee.

Read more in:

Bleeping Computer: Vulnerabilities Found in the Firmware of 25 Android Smartphone Models



--Applying Linkage Analysis to Cyber Crime Attribution

(August 12, 2018)

Case linkage or linkage analysis is a technique used by law enforcement to connect multiple crimes to a single individual. By examining behavioral fingerprints, law enforcement can draw conclusions that link seemingly unrelated cases. At DefCon last week, Matt Wixey presented efforts to apply the technique to digital crimes, using granular behavior to identify hackers.

Read more in:

Wired: To Identify a Hacker, Treat Them Like a Burglar


DefCon: Betrayed by the keyboard: How what you type can give you away



--Hackers Exploiting D-Link Router Vulnerability to Change DNS Settings

(August 10 & 11, 2018)

Hackers are exploiting a vulnerability in D-Link routers to send users to spoofed online banking sites. The issue affects five D-Link models that have not been patched in the last two years. The flaw allows hackers to remotely change the routers DNS settings to redirect users to a DNS server that the hackers control. The attacks have focused on two Brazilian banks.

[Editor Comments]

[Neely] The importance of lifecycle management, including patching and replacement, is underscored here. A device that is quietly working is easy to overlook, and it is hard to convince management to replace something that doesnt appear broken. It is important to include the replacement plan in the proposal from day one, and lay the foundation for the future project before the crisis moment hits. Even so, the CISO and CIO must jealously defend the project to keep the funding and resources available for execution.

[Murray] Routers are now so cheap, and patching them so inconvenient, that for this consumer simply buying a new one is the right solution. Enterprises are more disciplined; they should patch. However, even in enterprises, the patching of appliances appears to be spotty.

Read more in:

Ars Technica: In-the-wild router exploit sends unwitting users to fake banking site


Bleeping Computer: Hackers Exploiting DLink Routers to Redirect Users to Fake Brazilian Banks



--TLS 1.3 Standard is Official

(August 13, 2018)

Transport Layer Security 1.3 (TLS 1.3) standard is now official. The revised standard was approved in March 2018; the Internet Engineering Task Force (IEFT) calls it "a major revision designed for the modern Internet." Its developers have worked hard to make TLS 1.3 easy to deploy.

Read more in:

The Register: It's official: TLS 1.3 approved as standard while spies weep




Data Tracker IEFT: The Transport Layer Security (TLS) Protocol Version 1.3





VIA C3 "God Mode"


Apple MDM Vulnerability


Peeking into MSG Files


Hunting SSL/TLS Clients Using JA3


Mobile Payment Terminal Vulnerabilities



New Extortion Tricks: Now Including Your (Partial) Phone Number!


Intel Releases Patch for Puma Modem Chips



Bluetooth Low Energy Attack Tool


Tesla Will Fix Car if Researcher Breaks It While Hacking




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create