OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #67

August 24, 2018


SANS NewsBites              August 24, 2018                Vol. 20, Num. 067



  Chrome Takes Another Step Toward Deprecating Flash

  Verizon Admits Throttling Firefighter Data Was a Mistake


  DNC Hack Attempt Was a Planned Test

  Facebook Pulls Onavo VPN App from Apple Store

  Adobe Photoshop Updates Fix Critical RCE Flaws

  NSA Document Leaker Sentenced to Prison

  Intel Revises Problematic Microcode License

  Apache Releases Patches for Critical Struts Flaw

  Fancy Bear Domains Sinkholed

  FBI Will Hire Data Scientists at All Field Offices



***************************  Sponsored By InfoBlox  **************************

Discover how to eliminate silos between networking and security operations and speed up response times. Attend this webinar and learn how Infoblox and Aruba ClearPass integration can help you. Register: http://www.sans.org/info/206440


-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018


-- Threat Hunting & Incident Response Summit 2018 | New Orleans, LA | September 6-13 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018

-- SANS Baltimore Fall 2018 | September 8-15 | https://www.sans.org/event/baltimore-fall-2018

-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018

-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018

-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018

-- SANS London September 2018 | October 15-20 | https://www.sans.org/event/london-october-2018

-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018

-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad Mini, ASUS Chromebook C300SA or Take $250 Off with OnDemand or vLive, Offer Ends September 5.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






--Chrome Takes Another Step Toward Deprecating Flash

(August 21, 2018)

When Chrome 69 is moved to the stable channel early next month, users will have to enable Adobe Flash every time they want it to run. In 2016, Chrome began defaulting to HTML5 and requiring that Flash be enabled site by site. The setting is currently sticky, meaning that if a user enables Flash on a site, it will be enabled on that site even after the browser is restarted. Chrome plans to stop support for Adobe Flash entirely in 2020.

[Editor Comments]

[Murray] Google is not deprecating Flash, it is tolerating, accommodating, and supporting it, a decade after Steve Jobs urged the community to abandon it. Wouldnt you love to have the money that has been spent patching Flash over the last decade, much less that spent mitigating attacks. One might settle for what Google has spent deprecating it. The length of time required to replace a Flash application with HTML5 should be measured in days to weeks, not months to years. Google has dirty hands here.


[Shpantzer] Flash is dead. Long live flash (mostly in security awareness sites, ironically).

Read more in:

Ars Technica: Chrome 69 will take the next step to killing Flash, roll out new design



--Verizon Admits Throttling Firefighter Data Was a Mistake

(August 21 & 22, 2018)

Firefighters battling the Mendocino Complex Fire north of San Francisco late last month found that Verizon was throttling their data speeds. When they contacted Verizon, the firefighters were told they had to switch to a more expensive plan to resume effective data speeds. Verizon has since acknowledged that it should have lifted the data speed restrictions in the emergency situation. Verizon said the throttling was a customer support mistake and is not a net neutrality issue.  

[Editor Comments]

[Pescatore] I bet Verizon would have happily forwarded along known DDoS or malware traffic up until the point where they throttled legitimate traffic. If ISPs filtered known bad traffic, users would gain back 3070% of their unlimited bandwidth. While it is true that junk snail mail subsidizes legitimate snail mail, the USPS doesnt start throttling your mail delivery if you get too many cruise ship brochures

[Murray] Even the Net Neutrality rules were never intended to deal with issues of wireless network management or pricing. Indeed, if there was ever, or ever will be, a prioritization scheme, emergency services would be, as they are in the dial-switched network, at the top of the list. That said, the service providers and the governments share blame for putting emergency services on a throttled data plan. (My niece managed to consume 70GB in less than a month on a family plan that was throttled after 22.5GB. Go figure.)

[Northcutt] Data throttling is a Net Neutrality issue. I am surprised Verizon got off with so little bad press. That said, the fire service folks have to contract a plan that meets their needs.

Read more in:

Ars Technica: Verizon throttled fire departments unlimited data during Calif. wildfire


Ars Technica: Fire dept. rejects Verizons customer support mistake excuse for throttling


NBC News: Verizon admits 'throttling' data to Calif. firefighters amid blaze



**************************  SPONSORED LINKS  ********************************

1) Join SANS at the Threat Hunting & Incident Response Summit on Sep. 6-7 in New Orleans! Learn from top threat hunters and security practitioners as they share the latest methods and techniques used to hunt adversaries. http://www.sans.org/info/206445

2) ICYMI: "What Works in Visibility, Access Control and IOT SecurityPulse Secure NAC Outcomes at Energy Provider" view the archive:  http://www.sans.org/info/206450

3) Don't Miss "Stronger Security with Global IT Asset Inventory" with Matt Bromiley and Pablo Quiroga. Register: http://www.sans.org/info/206455




--DNC Hack Attempt Was a Planned Test

(August 23, 2018)

Earlier this week, the US Democratic National Committee (DNC) reported that hackers were attempting to access its database through a phishing attack. The DNC was alerted to the existence of a spoofed login page for a platform used to manage the Democratic registered voter database. It was later determined that the incident was part of a planned penetration test.

[Editor Comments]

[Pescatore] There has always been a debate around surprise pen testing vs. fully notifying everyone. This type of event is a tame example of the downside of the surprise approach, and the downside in general has outweighed the upside of seeing if anyone notices the surprise test.

[Neely] When conducting a phishing test, verified authority to authorize that test is critical. Additionally, make sure all your monitoring/reporting processes include checks for authorized tests to avoid crying wolf.

[Northcutt] +1 for the Motherboard analysis. The fact they detected the test shows they are on the ball.


Read more in:

Threatpost: DNC: Highly Publicized Phishing Attempt Was Only a Security Test


Bleeping Computer: Recent DNC Hacking Attempt Was Just a Simulated Phishing Test


Motherboard: The DNC False Alarm Hack Is Good Cybersecurity, Bad PR



--Facebook Pulls Onavo VPN App from Apple Store

(August 22 & 23, 2018)

Facebook has removed its Onavo Protect VPN app from the Apple App Store after Apple determined that the application violated the companys data protection rules. Onavo apparently sends mobile traffic data back to Facebook even when the app is not actively being used. (Please note that the Wall Street Journal story is behind a paywall.)

[Editor Comments]

[Neely] While the Onavo EULA explicitly stated that they use your data both for themselves and Facebook service improvement, most users will just click the agree button without reading it. With any VPN or other service designed to protect or obfuscate your traffic, it is important to both remember that they can see your traffic, at a high level and patterns over time; and to know what will be done with that information.


Read more in:

Ars Technica: Facebook violates Apples data-gathering rules, pulls VPN from App Store


The Register: Facebook pulls 'snoopy' Onavo VPN from Apple's App Store after falling foul of rules


ZDNet: Facebook's Onavo VPN app removed from Apple App Store over privacy concerns


WSJ: Facebook Removes Data-Security App From Apple Store (Paywall)



--Adobe Photoshop Updates Fix Critical RCE Flaws

(August 23, 2018)

Adobe has released critical updates for its Photoshop Creative Cloud software to address a pair of flaws that could be exploited to execute arbitrary code. Users are urged to update to Photoshop CC 2018 19.1.6 and Photoshop CC 2017 18.1.6 for Windows and macOS.

[Editor Comments]

[Shpantzer] The only thing worse than a fake Adobe executable download is a genuine Adobe executable.

Read more in:

The Register: Whoa, is it Patch Tuesday already? No, just an unexpected critical Photoshop fix


Adobe: Security updates available for Adobe Photoshop CC | APSB18-28



--NSA Document Leaker Sentenced to Prison

(August 23, 2018)

Reality Winner has been sentenced to more than five years in prison for leaking classified defense reports. While employed as a contractor at a US government agency facility, Winner printed out a Top Secret intelligence report and gave a copy to an online news media outlet. Her sentence is the result of a plea agreement Winner reached with prosecutors on June 21, 2018.

Read more in:

SC Magazine: Harsh Reality: Former NSA contractor Reality Winner sentenced to 63 months for leaking classified report


DoJ: Federal Government Contractor Sentenced for Removing and Transmitting Classified Materials to a News Outlet



--Intel Revises Problematic Microcode License

(August 23, 2018)

Intel has walked back a gag restriction in the software license accompanying its most recent microcode update. The update addressed a Spectre-like issue known as Foreshadow. The terms of use initially included this clause: You will not, and will not allow any third party topublish or provide any Software benchmark or comparison test results, which caused Debian to decide not to push the update out to its users. Intel has changed the terms of service so that benchmarking is no longer prohibited.

Read more in:

The Register: Intel rips up microcode security fix license that banned benchmarking


ZDNet: Intel 'gags' Linux distros from revealing performance hit from Spectre patches



--Apache Releases Patches for Critical Struts Flaw

(August 22 & 23, 2018)

Earlier this week, the Apache Software Foundation released fixes for a critical flaw in Apache Struts 2. The issue is due to insufficient validation of untrusted user data in the Struts core. Exploit code has been posted online. Users running Struts 2.3 should upgrade to 2.3.35; users running Struts 2.5 should upgrade to 2.5.17.

[Editor Comments]

[Neely] While the modern application delivery ecosystem is complicated and sometimes fragile, necessitating regression testing, patching Struts flaws expeditiously is prudent. This is fixed in Struts 2.3.35 and 2.5.17. With the past track record of Struts vulnerabilities and published exploit code, active attempts to take advantage of the weakness are a given.


[Murray] In our modern multi-layered systems, input validation is much more difficult than it looks. It is not taught in schools. However, it is the essence of developing reliable programs. It is necessary to resist, for example, buffer and stack overflow attacks, cross-site scripting, and SQL (command) injection attacks.


[Shpantzer] Heres a good article about the larger vuln management treadmill and its place in an overall security strategy: https://www.nopsec.com/blog/another-year-another-critical-struts-flaw-cve-2018-11776/

Read more in:

Threatpost: Apache Struts 2 Flaw Uncovered: More Critical Than Equifax Bug


KrebsOnSecurity: Experts Urge Rapid Patching of Struts Bug


The Register: Apache's latest SNAFUStruts normal, all fscked up: Web app framework needs urgent patching


Cyberscoop: New critical vulnerability exposes Apache Struts instances to remote attacks


Apache: S2-057: Possible Remote Code Execution



--Fancy Bear Domains Sinkholed

(August 21 & 23, 2018)

Microsoft has sinkholed six domains associated with the Fancy Bear /APT 28 hacking group. The domains were being used to spoof a political think tank, a political organization, and several US Senate domains. Microsoft President Brad Smith says that the company has shut down a total of 84 spoofed domains associated with the hacking group over the past two years.

[Editor Comments]

[Shpantzer] If more security teams were aggressively filtering and analyzing DNS, wed need less heroics from tech companies and feds. There are fairly cheap and easy to use SaaS tools for this that have been available for years. Use them and watch opportunistic infections drop off a cliff, allowing you some space to get more strategic about your security spend and wetware bandwidth.

Read more in:

eWeek: Microsoft Offers Free Security Service Suite to U.S. Political Groups


Dark Reading: Microsoft Sinkholes 6 Fancy Bear/APT28 Internet Domains



--FBI Will Hire Data Scientists at All Field Offices

(August 22, 2018)

The FBI is planning to hire data scientists at all 56 field offices. The agency has secured funding to make the hires, and it has also increased its outreach to students with relevant IT skills. Over the summer, the FBI launched a pilot cybersecurity internship program for high school students.  

[Editor Comments]

[Neely] It is good to see the FBI modernizing their capabilities and hiring needed talent to analyze and understand cybersecurity. This represents an awesome opportunity for high school students to get into cybersecurity as well as a challenging and interesting field for adult data scientists. Continuing investment in new technologies, such as used in the InTAP and Javelin programs, will help maintain interest and aid retention and help to keep the workforce engaged.


Read more in:

FNR: FBI faces recruiting challenge in plan to hire data scientists at all field offices





Malicious DDL Loaded Through AutoIT


Traefik Fixes TLS Private Key Exposure


TLS Certificates Survive Domain Ownership


Intel Microcode License Update Causes Problems for Debian Linux


Intel Simplifies Microcode License


Simple Phishing Through formcrafts.com


Phishing False Alarm


New Critical Apache Struts Vulnerability (CVE-2018-11776)



Hardening Apache Struts With SELinux


Ghostscript Code Execution Vulnerability


Photoshop CC Patch


Facebook's Onavo VPN removed from Apple AppStore

https://www.wsj.com/articles/facebook-to-remove-data-security-app-from-apple-store-1534975340?mod=e2tw (paywall)


Fake Crypto Trading App Stealing Crypto Currency From Mac Users



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create