40+ Courses at SANS Cyber Defense Initiative 2018 in Washington DC! Save up to $400 thru 10/17.

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #76

September 25, 2018
****************************************************************************

SANS NewsBites             September 25, 2018               Vol. 20, Num. 76

****************************************************************************


TOP OF THE NEWS

  Chrome 69 Automatically Logs Users Into Browser When They Log In to Other Google Services

  Apple Releases macOS Mojave; Researcher Reveals Privacy Flaw

  Cisco Issues Patch for Hardcoded Root-Password in Video Surveillance Software


REST OF THE WEEKS NEWS

  Microsoft Azure Active Directory Online App Authentication

  Yubico Launches the YubiKey 5 Series

  Scan4You Creator Gets 14-Year Prison Sentence

  Boston-Area Police Participate in Election Cybersecurity Exercise

  Cloudflare to Support Roughtime Timekeeping Protocol

  Defunct Companys Data Left Unencrypted on Seized Computers

  Microsoft JET Flaw Yet to be Patched

  Guilty Plea in Attack that Disabled Police Surveillance Cameras in Washington, DC

  Bitcoin Core Denial-of-Service Flaw


INTERNET STORM CENTER TECH CORNER

 

***************************  Sponsored By Splunk  ****************************


The Essential Guide to Security maps out how organizations can use

machine data for specific use cases and get started addressing threats

and security challenges. This ebook addresses how to assess your

organizations security maturity, specific threats to look for and how

to fight them. Download your complimentary copy today.  

http://www.sans.org/info/206980


*****************************************************************************


-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018

    

-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018


-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018


-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018


-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018


-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018


-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018


-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018


-- SANS San Diego Fall 2018 | November 12-27 | https://www.sans.org/event/san-diego-fall-2018


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad Mini, Microsoft Surface Go or Take $300 Off with OnDemand or vLive, Offer Ends October 3.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************

TOP OF THE NEWS


 --Chrome 69 Automatically Logs Users Into Browser When They Log In to Other Google Services

(September 24, 2018)

One of the less-touted features of Chrome 69, which was released to the stable channel earlier this month, is that when users sign into any Google service, such as Gmail, they are now automatically logged into Chrome. When users directly log in to Chrome, browsing data are uploaded to Google servers. A Google spokesperson says that the change in Chrome 69 does not mean that browser data are being uploaded because the sync function is not automatically enabled.  


[Editor Comments]


[Pescatore] It looks like you really arent automatically logged in to anything via this change, at least when you are using Chrome on a desktop computer. If you are using Google apps (like the Gmail app) on iOS, once you log-in you can only log out by deleting the app, not a very user-friendly way to avoid being tracked across every Google service. Of course, back in May Google updated its Code of Conduct and Do No Evil is nowhere to be found anymore!


[Neely] While unexpected, and at odds with the privacy notice, with automatic sign-in enabled, your browser history/bookmarks/etc. dont sync until you enable it. Once Sync is enabled, you can disable it; modify what is synchronized; as well as enabling protecting sync data with your own sync passphrase. The automatic login behavior can be turned off by setting the account consistency flag (chrome://flags/#account-consistency) to disabled.


[Northcutt] All Google products have been moving towards single sign on for years and people love it. Use Chrome when interacting with Google services, Firefox, with Duck Duck Go for search for almost everything else, keep Tor in your back pocket and you are good to go.


Read more in:

Threatpost: Googles Forced Sign-in to Chrome Raises Privacy Red Flags

https://threatpost.com/googles-forced-sign-in-to-chrome-raises-privacy-red-flags/137651/

Bleeping Computer: Users Forcibly Being Logged Into Chrome When Signing Into a Google Service

https://www.bleepingcomputer.com/news/security/users-forcibly-being-logged-into-chrome-when-signing-into-a-google-service/

CNET: Google started quietly logging you into Chrome with latest update, reports say

https://www.cnet.com/news/google-started-quietly-logging-you-into-chrome-with-latest-update-reports-say/


 

--Apple Releases macOS Mojave; Researcher Reveals Privacy Flaw

(September 24, 2018)

On Monday, September 24, Apple made macOS Mojave (10.14) available for download to the public. Among the features touted in the newest version of the operating system are enhanced privacy and security. On the same day as Mojaves release, security expert Patrick Wardle disclosed a vulnerability in the operating system that could be exploited to bypass privacy controls to access sensitive user data without authorization.


Read more in:

Forbes: Apple macOS Mojave Is Now Available For Download: 14 Features You Should Know About

https://www.forbes.com/sites/amitchowdhry/2018/09/24/macos-mojave-features-release-download/#b1589bc28a4e

Bleeping Computer: macOS Mojave Privacy Bypass Flaw Allows Access to Protected Files

https://www.bleepingcomputer.com/news/security/macos-mojave-privacy-bypass-flaw-allows-access-to-protected-files/

ZDNet: Apple MacOS Mojave zero-day privacy bypass vulnerability revealed

https://www.zdnet.com/article/macos-mojave-zero-day-privacy-bypass-bug-revealed-on-the-day-of-download/


 

--Cisco Issues Patch for Hardcoded Root-Password in Video Surveillance Software

(September 21 & 24, 2018)

Cisco has released a fix for a hard-coded root password in its Video Surveillance Manager (VSM) software. The issue is fixed in VSM version 7.12. The Cisco advisory details specifically which products are affected.


[Editor Comments]


[Neely] Changing default credentials requires disclosure of all accounts that need to be changed. In this case the account was undocumented and not known. While this applies only to VSM installed by Cisco in specific products, the only mitigation is to apply to the update and verify that all known default credentials have been changed.


Read more in:

Cisco: Cisco Video Surveillance Manager Appliance Default Password Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm

ZDNet: Cisco: We've killed another critical hard-coded root password bug, patch urgently

https://www.zdnet.com/article/cisco-weve-killed-another-critical-hard-coded-root-password-bug-patch-urgently/

SC Magazine: Cisco patches critical default password vulnerability

https://www.scmagazine.com/home/news/cisco-patches-critical-default-password-vulnerability/


**************************  SPONSORED LINKS  ********************************


1) "What Works in Certificate and Key Management: Enabling Secure

Digital Business Using Venafis Trust Protection Platform" Register:

http://www.sans.org/info/206985


2) Don't Miss "Automating Open Source Security: A SANS Review of

WhiteSource"

   Register: http://www.sans.org/info/206990


3)  What challenges do you face in using cyber threat intelligence

(CTI)? Help SANS examine the state of CTI. Take the survey and enter to

win a $400 Amazon gift card | http://www.sans.org/info/206995


*****************************************************************************

REST OF THE WEEKS NEWS

 

--Microsoft Azure Active Directory Online App Authentication

(September 24, 2018)

Microsoft customers will soon be able to use Azure Active Directory for passwordless app authentication. Azure Active Directory-connected apps can currently authenticate with Microsoft Authenticator, which uses passwords combined with one-time codes for stronger authentication. The new feature will use the app as one form of authentication and a biometric authenticator or PIN for the second.  


[Editor Comments]


[Neely] Rather than working with users to create good passwords, take them off the table and replacing them with a biometric authenticator makes compromise very difficult. Because the MS authenticator app is still in play, the one-time token reduces the risk of poorly chosen PIN codes or a replicated biometric as a single authentication factor.


Read more in:

Ars Technica: Microsoft offers completely passwordless authentication for online apps

https://arstechnica.com/gadgets/2018/09/microsoft-offers-completely-passwordless-authentication-for-online-apps/

Dark Reading: Microsoft Deletes Passwords for Azure Active Directory Applications

https://www.darkreading.com/cloud/microsoft-deletes-passwords-for-azure-active-directory-applications/d/d-id/1332880

 
 

--Yubico Launches the YubiKey 5 Series

(September 24, 2018)

Yubicos YubiKey 5 Series physical tokens support the FIDO2 open authentication standard. The token can replace weak password-based authentication with strong hardware-based authentication, according to the companys press release.


[Editor Comments]


[Pescatore] Good to see more of these coming available and will be even better to see the Facebooks, Amazons, PayPals, Venmos, etc. incentivizing their users to moving to using such devices. Google is either having production problems with its Titan Key or demand has been very highshipping time is 2 months or more.


Read more in:

Wired: The New YubiKey Will Help Kill the Password

https://www.wired.com/story/yubikey-series-5-fido2-passwordless/

Yubico: Yubico Launches YubiKey 5 Series, the Industrys First Multi-Protocol Security Keys Supporting FIDO2

https://www.yubico.com/press-releases/yubico-launches-yubikey-5-series-the-industrys-first-multi-protocol-security-keys-supporting-fido2/

 
 

--Scan4You Creator Gets 14-Year Prison Sentence

(September 21, 22, & 24, 2018)    

Ruslan Bondars has been sentenced to 14 years in prison for creating and operating Scan4You, a service that lets malware purveyors check whether their malware is detected by or evades antivirus software. In May 2018, Bondars was convicted of conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and computer intrusion with intent to cause damage and aiding and abetting.  


Read more in:

ZDNet: Hacker gets a whopping 14 years in prison for running Scan4You service

https://www.zdnet.com/article/hacker-gets-a-whopping-14-years-in-prison-for-running-scan4you-service/

Dark Reading: 'Scan4Yyou' Operator Gets 14-Year Sentence

https://www.darkreading.com/threat-intelligence/scan4yyou-operator-gets-14-year-sentence/d/d-id/1332874

DOJ: Operator of Counter Antivirus Service Scan4you Sentenced to 14 Years in Prison

https://www.justice.gov/opa/pr/operator-counter-antivirus-service-scan4you-sentenced-14-years-prison

 

--Boston-Area Police Participate in Election Cybersecurity Exercise

(September 21 & 24, 2018)

A team of Boston-area police participated in a cybersecurity exercise involving a simulated election. The police were pitted against a red team composed of executives from the company organizing the exercise, Boston College graduate students, and Boston mayors office staff members whose job was to sow disinformation and suppress voting. The red team managed to hack voter registration lists, change information about voting locations on websites, and create traffic jams to disrupt the election.


[Editor Comments]


[Murray] While such exercises should be encouraged, we should be very careful what we conclude from them. In the short term, the bad guys have an advantage over the police. Prevention is the job of those officials operating the election, not the police. Catch and punish after the fact is their role.


Read more in:

Fifth Domain: Hackers in Boston gamed out an election day nightmare - and won

https://www.fifthdomain.com/civilian/2018/09/21/hackers-in-boston-gamed-out-an-election-day-nightmare-and-won/

Cyberscoop: In this election security drill, Massachusetts cops battle hackers to protect the vote

https://www.cyberscoop.com/massachusetts-election-security-drill/

 
 

--Cloudflare to Support Roughtime Timekeeping Protocol

(September 21, 2018)

Cloudflare will support a new authenticated time service. Roughtime is a secure authenticated time protocol developed by Google. Many devices currently use Network Time protocol (NTP) for synchronization, but NTP is an aging protocol that does not include security measures; it has been abused to amplify distributed denial-of-service (DDoS) attacks. The Roughtime protocol incorporates security measures that will help prevent attackers from using it to amplify attacks. Cloudflare will use Roughtime to help validate SSL/TLS certificate expiration dates.


[Editor Comments]


[Pescatore] I dont think Roughtime is really being seen as a full NTP replacement but making it easier/faster/safer for TLS cert expiration/revocation status to be checked is a good thing.


[Murray] As is the case with many appliances (e.g., digital cameras, baby monitors, clocks, time servers) the risk that they will be converted to malicious purposes (e.g., denial of service, crypto mining, or brute force attacks against passwords or keys) outweighs that that their applications will not work as intended (e.g. distort the picture, ignore distressed infants, tell the wrong time.)


[Neely] Increased use of security certificates requires accurate time on systems to properly respond to revocation and update events. As systems use network time sources for keeping clocks accurate, the accuracy of that time source needs to also be assured. Roughtime adds assurance of a genuine time source which will disrupt attempts for MITM time synchronization attacks. Cloudflare is the first major adoption of Roughtime since its introduction in 2016. While turn-key replacement clients for endpoints are still a bit off, you can download and build your own from reference implementations written in C++ and Go.


Read more in:

Cloudflare: Roughtime: Securing Time with Digital Signatures

https://blog.cloudflare.com/roughtime/

Wired: Clouldflare and Google Will Help Sync the Internet's ClocksAnd Make You Safer

https://www.wired.com/story/clouldflare-google-roughtime-sync-clocks-security/

eWeek: Cloudflare Secures Time With Roughtime Protocol Service

http://www.eweek.com/security/cloudflare-secures-time-with-roughtime-protocol-service

 
 

--Defunct Companys Data Left Unencrypted on Seized Computers

(September 18, 21, & 22, 2018)

Equipment belonging to a now-defunct Canadian retailer was offered for sale on Craigs List; the machines were found to contain unencrypted customer data dating back to 2007, including payment card numbers and transaction records. The equipment was seized by the companys landlords after the company failed to pay rent. The Royal Canadian Mounted Police (RCMP) and the Office of the Information and Privacy Commissioner of British Columbia are investigating.


[Editor Comments]


[Pescatore] This is a common occurrence at businesses, and not just when they go bankrupt. When replaced, corporate PCs, servers and printers are often disposed of by selling them to firms that pay a low price and then resell them immediatelyoften with very sensitive data left on them. Important to work with IT and procurement to make sure that those contracts include full sanitization or the IT procedures do so before surplussing the equipment.


[Neely] Because of the sequence of events, the only way to mitigate this exposure would be encryption at rest. With the power of modern systems, the overhead of encryption is negligible. Implementing and testing key escrow services is critical when deploying. Once encryption at rest is SOP, clearing systems for reuse or resale becomes as simple as clearing the encryption key rather than continued reliance on disk wipe procedures.


Read more in:

The Register: Dead retailer's 'customer data' turns up on seized kit, unencrypted and very much for sale

https://www.theregister.co.uk/2018/09/21/ncix_servers_sold/

CBC: RCMP and privacy commissioner probe alleged NCIX data breach

https://www.cbc.ca/news/canada/british-columbia/ncix-breach-probe-1.4833976

PrivacyFly: NCIX Data Breach

https://www.privacyfly.com/articles/ncix_breach/

 
 

--Microsoft JET Flaw Yet to be Patched

(September 21, 2018)

An out-of-bounds write flaw in Microsofts JET Database Engine could be exploited to execute code remotely. The issue lies in the JET Database Engines handling of malformed data. TrendMicros ZeroDay Initiative detected the flaw and notified Microsoft on May 8; on September 9, Microsoft responded that a patch might not be ready in time to meet the 120-day deadline for disclosure. Microsoft addressed two flaws in JET in Septembers Patch Tuesday release, but not for the out-of-bounds write flaw; the company says it is working on a patch for this flaw.


Read more in:

SC Magazine: Report: Microsoft misses disclosure deadline to patch RCE bug in JET

https://www.scmagazine.com/home/news/report-microsoft-misses-disclosure-deadline-to-patch-rce-bug-in-jet/

Threatpost: Unpatched Microsoft Zero-Day in JET Allows Remote Code-Execution

https://threatpost.com/unpatched-microsoft-zero-day-in-jet-allows-remote-code-execution/137597/

 

--Guilty Plea in Attack that Disabled Police Surveillance Cameras in Washington, DC

(September 20 & 21, 2018)

Eveline Cismaru has pleaded guilty to conspiracy to commit wire fraud and conspiracy to commit computer fraud for her role in a scheme that disabled surveillance cameras in Washington, DC. The scheme involved infecting the devices with ransomware and using them to distribute ransomware to other computers. The incident occurred in January 2017 prior to the presidential inauguration. Cismaru and a co-defendant, Mihai Alexandru Isvanca, were arrested in Romania in December 2017; Cismaru fled to the country following her arrest and was apprehended in the UK in March 2018; she was extradited in June 2018. Isvanca is being held in Romania pending extradition. Cismarus sentencing is scheduled for December 3, 2018.


Read more in:

Washington Post: Romanian woman pleads guilty in D.C. police camera ransomware attack before 2017 Trump inauguration

https://www.washingtonpost.com/local/public-safety/romanian-woman-pleads-guilty-in-dc-police-camera-ransomware-attack-before-2017-trump-inauguration/2018/09/20/ea4ae0b0-bce7-11e8-be70-52bd11fe18af_story.html

The Register: Guilty: The Romanian ransomware mastermind who infected Trump inauguration CCTV cams

https://www.theregister.co.uk/2018/09/21/cctv_ransomware_trump_washington_dc/

SC Magazine: Romanian woman pleads guilty to ransomware attack on D.C. police cameras before Trump Inauguration

https://www.scmagazine.com/home/news/romanian-woman-pleads-guilty-to-ransomware-attack-on-d-c-police-cameras-before-trump-inauguration/

DOJ: Romanian Woman Pleads Guilty to Federal Charges in Hacking of Metropolitan Police Department Surveillance Cameras

https://www.justice.gov/usao-dc/pr/romanian-woman-pleads-guilty-federal-charges-hacking-metropolitan-police-department

 

--Bitcoin Core Denial-of-Service Flaw

(September 20, 2018)

Developers have released a fix for a vulnerability in the Bitcoin Core software. The flaw affects Bitcoin Core versions 0.14.0 through 0.16.2. All vulnerable versions should be upgraded to 0.16.3 as soon as possible.


Read more in:

NextWeb: Crippling DDoS vulnerability put the entire Bitcoin market at risk

https://thenextweb.com/hardfork/2018/09/20/bitcoin-core-vulnerability-blockchain-ddos/

GitHub: Fix crash bug with duplicate inputs within a transaction

https://github.com/bitcoin/bitcoin/commit/4b8a3f5d235f40be8102506ab26caad005cc40d6

 

INTERNET STORM CENTER TECH CORNER

 

Odd DNS Requests from Firewalls

https://isc.sans.edu/forums/diary/Suspicious+DNS+Requests+Issued+by+a+Firewall/24128/


Securing API Connections

https://isc.sans.edu/forums/diary/The+danger+of+sending+information+for+API+consumption+without+adequate+security+measures/24130/


Microsoft JET Database 0day

https://www.zerodayinitiative.com/advisories/ZDI-18-1075/


Western Digital Releases Patch for MyCloud Drives

https://support.wdc.com/knowledgebase/answer.aspx?ID=25952&s


Job Offers With Malware Attachment

https://www.bleepingcomputer.com/news/security/malware-disguised-as-job-offers-distributed-on-freelance-sites/        


More Sextortion Emails

https://isc.sans.edu/forums/diary/Sextortion+Spam+and+the+Infinite+Monkey+Theorem/24136/


MacOS 10.14 (Mojave) Security Fixes

https://support.apple.com/en-us/HT209139


Mojave Privacy Protection Bypass

https://vimeo.com/291491984


Cloudflare Supporting Encrypted SNI

https://blog.cloudflare.com/esni/


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create