2 Days Left to get an iPad Pro with Smart Keyboard, Surface GO or $350 Off with Online Training

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #77

September 28, 2018

****************************************************************************

SANS NewsBites             September 28, 2018               Vol. 20, Num. 77

****************************************************************************


TOP OF THE NEWS


  Vulnerable ES&S Election Machines

  Port of San Diego Suffered Ransomware Attack; Follows Barcelona Port Attack

  Universities Developing Improved Cybersecurity Training Pathways


REST OF THE WEEKS NEWS


  Apple Device Enrollment Program Uses Weak Authentication

  Cisco Security Updates for IOS and IOS XE

  LoJax UEFI Rootkit Detected in the Wild

  Former NSA Employee Sentenced to Five-and-a-Half Years in Prison for Taking Home Classified Materials

  Chrome 70 Will Address Privacy Concerns

  Mitsubishi Recalls SUVs Over Software Bug

  Product Testing Lawsuits


INTERNET STORM CENTER TECH CORNER    

 

*****************************************************************************

Cybersecurity Training Update


-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018

    

-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018


-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018


-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018


-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018


-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018


-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018


-- SANS San Diego Fall 2018 | November 12-17 | https://www.sans.org/event/san-diego-fall-2018


-- SANS San Francisco Fall 2018 | November 26-December 1 | https://www.sans.org/event/san-francisco-fall-2018


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad Mini, Microsoft Surface Go or Take $300 Off with OnDemand or vLive, Offer Ends October 3.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


***************************  Sponsored By Corelight *************************


Need to find network breaches faster? Attend BroCon 2018! Dont miss

your chance to attend the open-source developers & users conference for

Bro. Youll hear from the creators, builders, and leading users of Bro.

Its the premier annual gathering of Bro experts. October 10-12 in

Washington DC. Learn more: http://www.sans.org/info/207020


*****************************************************************************

TOP OF THE NEWS

 

--Vulnerable ES&S Election Machines

(September 27, 2018)

An Election Systems & Software (ES&S) voting tabulation machine that is widely used in the US has been found to be vulnerable to hacking through an updating procedure. The issue was detected at DefCons Voting Village earlier this year. The ES&S Model 650 high-speed ballot-counting machine is used in more than half of US states. The company stopped manufacturing the machines in 2008. An ES&S spokesperson told the Wall Street Journal via mail that while the older machine does not possess the security measures of newer models, the security protections on the M650 are strong enough to make it extraordinarily difficult to hack in a real world environment. (Please note: the WSJ story is behind a paywall.)


[Editor Comments]


[Neely] A key finding of the research was that these older machines lack the capabilities to verify they are running a known secure configuration. As these are centralized ballot counting devices, the compromise requires access to the centralized location, typically the county clerks office and/or network, rather than at a field polling location, which means the risk can be partly mitigated with access control, including verified air-gaps, at the centralized locations. The trick will be testing to verify the integrity of the existing systems hasnt been compromised. Additionally, the risk can be mitigated by deploying newer systems with updated security and technology.

 

[Murray] Most appliances built upon general purpose computers are vulnerable to contamination through updating procedures. That is why we have compensating controls during such procedures. Closed systems and populations would help.  

 

Read more in:

Ars Technica: Defcon Voting Village report: bug in one system could flip Electoral College

https://arstechnica.com/information-technology/2018/09/e-voting-researchers-warn-of-hack-that-could-flip-the-electoral-college/

Cyberscoop: DEF CON report finds decade-old flaw in widely used ballot-counting machine

https://www.cyberscoop.com/def-con-voting-village-report/

The Hill: Widely used election machines are vulnerable to cyberattack: report

https://thehill.com/policy/technology/408693-election-machines-used-in-many-states-are-vulnerable-to-cyberattack-report

WSJ: Voting Machine Used in Half of U.S. Is Vulnerable to Attack, Report Finds (paywall)

https://www.wsj.com/articles/widely-used-election-systems-are-vulnerable-to-attack-report-finds-1538020802

 
 

--Port of San Diego Suffered Ransomware Attack; Follows Barcelona Port Attack

(September 27, 2018)

The Port of San Diego (California) has acknowledged that its IT systems were compromised by ransomware. The incident affected various services, including issuing park permits and processing public records requests. The attack is the third recent cyberattack against a port. Last week, the Port of Barcelona, Spain acknowledged that its internal systems were attacked. In July, a ransomware attack affected computers at the Long Beach Port.


Read more in:

ZDNet: Port of San Diego suffers cyber-attack, second port in a week after Barcelona

https://www.zdnet.com/article/port-of-san-diego-suffers-cyber-attack-second-port-in-a-week-after-barcelona/

Bleeping Computer: Port of San Diego Affected by a Ransomware Attack

https://www.bleepingcomputer.com/news/security/port-of-san-diego-affected-by-a-ransomware-attack/

Port of San Diego: Port of San Diego 9/27 Update on Cybersecurity Incident

https://www.portofsandiego.org/press-releases/general-press-releases/port-san-diego-927-update-cybersecurity-incident


 

--Universities Developing Improved Cybersecurity Training Pathways

(September 25, 2018)                   

Institutes of higher education in the US are stepping up efforts to draw students to cybersecurity programs. Some are offering cutting edge cyber ranges, where students can hone their skills in simulated real-world environments. Others are teaming up with technology companies and government agencies to offer cybergame challenges and mentorships. The most technical of these programs are leading to far higher job placement rates than the cybersecurity programs so many students attended in the past that taught them only how to admire the problem rather than how to find and fix the problems. SANS Technology Institutes Masters of Security Engineering (and Management) Program which ensures students master the most critical skills that employers seek is the model being emulated by the best of the new programs. (www.sans.edu)  


Read more in:

Ed Tech Magazine: Universities Invest in Cybersecurity Pathways to Add to the Workforce

https://edtechmagazine.com/higher/article/2018/09/universities-invest-cybersecurity-pathways-add-workforce


**************************  SPONSORED LINKS  ********************************


1) "CCEINLs New Approach to Securing Critical Industrial

Infrastructure" with Andy Bochman and Phil Neray.  Register:

http://www.sans.org/info/207025


2) Don't Miss "Automating Open Source Security: A SANS Review of

WhiteSource" Register: http://www.sans.org/info/207030


3) What challenges do you face in using cyber threat intelligence (CTI)?

Help SANS examine the state of CTI. Take the survey and enter to win a

$400 Amazon gift card | http://www.sans.org/info/207035


*****************************************************************************

REST OF THE WEEKS NEWS

 

--Apple Device Enrollment Program Uses Weak Authentication

(September 27, 2018)

A weakness in Apples Device Enrollment Program (DEP) for mobile device management (MDM) could be exploited to steal Wi-Fi passwords and VPN configuration data. DEP allows a device to be enrolled in the MDM server with only a serial number; if organizations do not require additional authentication for device enrollment, attackers could enroll rogue devices that could be used as a means to access information about the organization. 


[Editor Comments]


[Neely] Because DEP only uses the device serial number for enrollment and Apples device serial numbers are predictable, there are two possible issues. First, a bogus device can enroll in DEP prior to the legitimate one, and second, a legitimate serial number from an enrolled device can be used to access sensitive corporate information. Enrollment still requires access to a company authorized DEP account and interaction with your MDM server. Restrict access to these services and accounts; verify that devices enrolled are genuine to mitigate the risk.


Read more in:

The Register: Looking after the corporate Apple mobile fleet? Beware: MDM onboarding is 'insecure'

https://www.theregister.co.uk/2018/09/27/apple_mdm_insecure/

Threatpost: Weakness in Apple MDM Tool Allows Access to Sensitive Corporate Info

https://threatpost.com/weakness-in-apple-mdm-tool-allows-access-to-sensitive-corporate-info/137737/

 
 

--Cisco Security Updates for IOS and IOS XE

(September 27, 2018)

Cisco has released updates to address security issues in its IOS and IOS XE networking software. Thirteen of the flaws have been given a high severity rating; they could be exploited to gain elevated privileges or create denial-of-service (DoS) conditions. 


Read more in:

The Register: Cisco coughs up baker's dozen of vulns and other security nasties

https://www.theregister.co.uk/2018/09/27/cisco_vulns_h2_18/

ZDNet: Cisco DoS warning: Patch these 13 high-severity holes in IOS, IOS XE now

https://www.zdnet.com/article/cisco-dos-warning-patch-these-13-high-severity-holes-in-ios-ios-xe-now/

Bleeping Computer: Cisco Releases Alerts for 14 High Severity Bugs

https://www.bleepingcomputer.com/news/security/cisco-releases-alerts-for-14-high-severity-bugs/

Cisco: Cisco Security Advisories and Alerts

https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir&limit=23#~Vulnerabilities

 
 

--LoJax UEFI Rootkit Detected in the Wild

(September 27, 2018)

Researchers from ESET have detected malware capable of infecting a devices Unified Extensible Firmware Interface (UEFI). The malware, which researchers have called LoJax, contains elements that tie to the Russian APT 28 hacking group, which is also known as Fancy Bear. The LoJax rootkit malware can persist on infected machines even after the operating system is reinstalled and the hard drive is replaced.


[Editor Comments]


[Northcutt] The Unified Extensible Firmware Interface, (UEFI, essentially BIOS Next Generation), a stripped down, always on OS, allows access to the computer even if there is no operating system installed and is sometimes used in conjunction with Wake on LAN. This isnt a new problem; if there is an always-available method to manipulate a computer, you can bet malicious actors are going to take advantage of it.


Read more in:

Wired: Russias Elite Hackers Have a Clever New Trick That's Very Hard to Fix

https://www.wired.com/story/fancy-bear-hackers-uefi-rootkit/

Cyberscoop: Russians' stealthy 'LoJax' malware can infect on the firmware level

https://www.cyberscoop.com/lojax-russia-apt28-eset-firmware/

SC Magazine: The lowdown on LoJax: Researchers detect a UEFI rootkit in the wild

https://www.scmagazine.com/home/news/the-lowdown-on-lojax-researchers-detect-a-uefi-rootkit-in-the-wild/

WeLiveSecurity: LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group

https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

 
 

--Former NSA Employee Sentenced to Five-and-a-Half Years in Prison for Taking Home Classified Materials

(September 26, 2018)

A US judge in Maryland has sentenced a former National Security Agency (NSA) employee to five-and-a-half years in prison for taking home massive troves of highly classified national defense information without authorization. Nghia Hoang Pho worked in NSAs Tailored Access Operations. Unconfirmed reports suggest that some of the information Pho took home was stolen by Russian intelligence from his computer.


[Editor Comments]


[Pescatore] An important reminder that monitoring for unusual internal user data flows is still critical, even though most press interest has switched to more exciting external attacks. It may be accidentalemployees taking data home to work on a legitimate projectbut the consequences are still expensive.


Read more in:

ZDNet: Ex-NSA employee gets 5.5 years in prison for taking home classified info

https://www.zdnet.com/article/ex-nsa-employee-gets-5-5-years-in-prison-for-taking-home-classified-info/

The Register: NSA dev in the clink for 5.5 years after letting Kaspersky, allegedly Russia slurp US exploits

https://www.theregister.co.uk/2018/09/26/nsa_worker_jailed/

Ars Technica: NSA employee who brought hacking tools home sentenced to 66 months in prison

https://arstechnica.com/tech-policy/2018/09/nsa-employee-who-brought-hacking-tools-home-sentenced-to-66-months-in-prison/

Nextgov: NSA Staffer Sentenced to 5.5 Years in Prison for Taking Documents Home

https://www.nextgov.com/cybersecurity/2018/09/nsa-staffer-sentenced-55-years-prison-taking-documents-home/151589/

 
 

--Chrome 70 Will Address Privacy Concerns

(September 25 & 26, 2018)

With the release of Chrome 70 next month, Google will roll back several features in version 69 of the browser that raised privacy concerns. In Chrome 69, users found that they were being automatically logged into Chrome when they logged into any other Google service; in Chrome 70, users can toggle an Allow Chrome sign-in option. Google will also change the way it manages authentication cookies. Previously, when users deleted cookies in Chrome, the browser retained Googles own authentication cookies; in Chrome 70, when users delete cookies, all cookies will be deleted. 


[Editor Comments]


[Murray] In part, this problem arises from Googles choice to make the use of their offerings as convenient as possible. For those who are the exclusive users of their systems in closed environments, these choices work very well. For users of shared machines in open environments, not so much.

 

Read more in:

Google: Product updates based on your feedback

https://www.blog.google/products/chrome/product-updates-based-your-feedback/amp/

The Register: Cookie clutter: Chrome saves Google cookies from cookie jar purges

https://www.theregister.co.uk/2018/09/25/chrome_69_google_cookies/

The Register: Google actually listens to users, hands back cookies and rethinks Chrome auto sign-in

https://www.theregister.co.uk/2018/09/26/google_backtrack_chrome/

V3: Google backtracks over automatic Chrome browser sign-in

https://www.v3.co.uk/v3-uk/news/3063464/google-backtracks-over-automatic-chrome-browser-sign-in

Threatpost: Google Vows Privacy Changes in Chrome Browser After User Backlash

https://threatpost.com/google-vows-privacy-changes-in-chrome-browser-after-user-backlash/137706/

Bleeping Computer: Chrome 70 Lets you Control Automatic Login and Deletes Google Cookies

https://www.bleepingcomputer.com/news/google/chrome-70-lets-you-control-automatic-login-and-deletes-google-cookies/

 
 

--Mitsubishi Recalls SUVs Over Software Bug

(September 25, 2018)

Mitsubishi has recalled 68,000 Outlander SUVs in the US due to a pair of software bugs. One of the flaws affects the cars braking system computerized management system; it could cause features such as adaptive cruise control and antilock brakes to malfunction. The second problem affects the cars forward-collision mitigation system that could increase the risk of a rear-end collision, according to Consumer Reports.   


[Editor Comments]


[Murray] Mistakes in functions in software will be cheaper to remedy than the same function in hardware. However, the requirement to get it right the first time is just as high for software as for hardware. So called software engineers seem to be culturally more tolerant of shoddy than are traditional engineers working in metal.  


Read more in:

The Register: Braking bad: Mitsubishi recalls 68k SUVs over buggy software

https://www.theregister.co.uk/2018/09/25/mitsubishi_suv_bugs_recall/

Consumer Reports: Mitsubishi Recalls 68,000 SUVs Over Bad Software

https://www.consumerreports.org/car-recalls-defects/mitsubishi-recalls-68000-suvs-over-bad-software/

 
 

--Product Testing Lawsuits

(September 20 & 21, 2018)

A lawsuit filed by NSS Labs against CrowdStrike, Symantec, and ESET alleges that the companies have conspired to restrict competition in the testing of cybersecurity products.


[Editor Comments]


[Pescatore] Objective security testing of security products is more important than ever, especially with all the over-hyped claims of machine learning and automation solving every possible security problem with zero false positives or false negatives. Vendor-driven testing standards and organizations invariably set the testing bar very lowno surprise, there. That said, more transparency by NSS and some indication of third-party audits of their processes is needed.


Read more in:

Search Security: CrowdStrike responds to NSS Labs lawsuit over product testing

https://searchsecurity.techtarget.com/news/252449112/CrowdStrike-responds-to-NSS-Labs-lawsuit-over-product-testing

ZDNet: NSS Labs files lawsuit over alleged CrowdStrike, Symantec, ESET product test conspiracy

https://www.zdnet.com/article/nss-labs-files-lawsuit-against-crowdstrike-symantec-eset-amtso/

NSS Labs: Complaint

https://www.nsslabs.com/default/assets/File/2018-09-18-NSS-Complaint.pdf


 

INTERNET STORM CENTER TECH CORNER

Firefox Haveibeenpwned Monitor

https://blog.mozilla.org/blog/2018/09/25/introducing-firefox-monitor-helping-people-take-control-after-a-data-breach/


Chrome 69 Privacy Issues

https://www.bleepingcomputer.com/news/google/chrome-69-keeps-googles-cookies-after-you-clear-browser-data/


Google Reverts Changes to Chrome

https://www.blog.google/products/chrome/product-updates-based-your-feedback/amp/


Cisco FragmentSmack Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180824-linux-ip-fragment


Microsoft Bitlocker Turns itself Off During Updates

https://social.technet.microsoft.com/Forums/en-US/0e48536f-40ff-4046-bd08-ed4a39b4840f/bitlocker-automatically-suspending-during-updates?forum=win10itprosecurity


Emotet Malware Delivery Service Update

https://isc.sans.edu/forums/diary/One+Emotet+infection+leads+to+three+followup+malware+infections/24140/


Fedora Crypto Policy Update Causes SSH Issues

https://bugzilla.redhat.com/show_bug.cgi?id=1631970


Android Banking Trojan Impersonates QRecorder

https://lukasstefanko.com/2018/09/banking-trojan-found-on-google-play-stole-10000-euros-from-victims.html


Enriching Radare2 and x64dbg malware analysis with statically decoded strings

https://isc.sans.edu/forums/diary/Enriching+Radare2+and+x64dbg+malware+analysis+with+statically+decoded+strings/24146/


Weaknesses in Apple's Mobile Device Management

https://duo.com/labs/research/mdm-me-maybe


LoJax UEFI Rootkit

https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

       

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create