SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #58
July 25, 2017TOP OF THE NEWS
UK Commits $25 Million to Readying Teenagers For Cyber Security Careers
Estonia Implements Strong eVoting Security
Why Cyber Deterrence Won't Work
Michele Guel on Women in Cyber Security
THE REST OF THE WEEK'S NEWS
Re(hab) Boot Camp for Teenaged Hackers
IARPA's Homomorphic Encryption Computing Techniques with Overhead Reduction Program
Man Admits to Hacking Deutsche Telekom Routers
Google Implements Stronger Warnings for Unverified Apps
White Paper from Telecom Lobbyists Downplays SS7 Security Risks
Carnegie Mellon University Study Finds Most Home Routers Are Lemons
Colorado Now Requires Regular Risk-Limiting eVoting Audits
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Sophos Inc. ********************
See why NSS Labs rates Sophos XG Firewall among the highest performing next-gen firewalls in the industry after a series of grueling tests. The report features detailed security effectiveness ratings, price-performance metrics and reliability test results. Don't take our word for it - download the full report and see how XG Firewall stacks up. Learn More: http://www.sans.org/info/196820
***************************************************************************TRAINING UPDATE
-- SANS OnDemand and vLive Training | Special MacBook Air Offer! Get a MacBook Air, HP ProBook 450 G4 or take $450 off your course until July 26. 30+ courses with books, labs, mp3, & SME support. https://www.sans.org/online-security-training/specials/
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017)
-- SANS Security Awareness Summit | Nashville, TN | July 31-August 9 | https://www.sans.org/event/security-awareness-summit-2017)
-- SANS Boston 2017) | August 7-12 | https://www.sans.org/event/boston-2017)
-- SANS Virginia Beach 2017) | August 21-September 1 | https://www.sans.org/event/virginia-beach-2017)
-- SANS London September 2017) | September 25-30 | https://www.sans.org/event/london-september-2017)
-- SANS Data Breach Summit & Training 2017) | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017)
-- SANS October Singapore 2017) | October 9-28 | https://www.sans.org/event/october-singapore-2017)
-- SANS Brussels Autumn 2017) | October 16-21 | https://www.sans.org/event/brussels-autumn-2017)
-- SANS Tokyo Autumn 2017) | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017)
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/
TOP OF THE NEWS
UK Commits $25 Million to Readying Teenagers For Cyber Security Careers (July 23 & 24, 2017)
The UK's Department for Digital, Culture, Media, and Sport (DCMS) announced an online cyber security training program for up to 6,000 secondary school students beginning this autumn. Students will be selected to participate based on a recently validated, innovative cyber talent exam combining skills and psychometrics evaluations. The online CyberStart game will enable the students to learn and demonstrate their commitment through an "addictive" game they can play from anywhere there is Internet access. A "pre-cyber" intensive training program called CyberStart Essentials will allow students to master the foundation skills needed to succeed in cybersecurity. Intensive CyberAcademies will help the most talented and committed participants learn advanced techniques and launch them into jobs throughout the country. Students are being asked to register their interest in the program. Read more in: Gov.UK: Students urged to apply for pioneering Cyber Schools Programme https://www.gov.uk/government/news/students-urged-to-apply-for-pioneering-cyber-schools-programme V3: UK government plan to train 6,000 students in u20m cyber security programme https://www.v3.co.uk/v3-uk/news/3014359/uk-government-plan-to-train-6-000-students-in-gbp20m-cyber-security-programme ComputerWeekly: UK government wants to give 6,000 teenagers cyber security training http://www.computerweekly.com/news/450423197/UK-government-wants-to-give-6000-teenagers-cyber-security-training HMG Cyber Schools Programme: Register your interest in HMG Cyber Schools Programme https://hmgcyberschools.com/Estonia Implements Strong eVoting Security (July 19, 2017)
Estonia is adopting stronger security measures for its elections. Estonia is the only country that allows citizens to vote through online balloting. The system was introduced in 2005. The upgrades include features known as end-to-end verifiability. Tarvi Martens, the Estonian National Electoral Committee's head of evoting, notes that while US elections are dependent of a variety of electronic voting machines, "with Internet voting, there's a single piece of software that can be controlled." [Editor Comments] [Pescatore] The old "single point of failure" vs. "put all your eggs in one basket and really, really watch that basket debate." In constrained environments, online voting can certainly be done securely. But for societies without national ID cards and government issued electronic identities with rigid registration processes, and the ability to force other constraints, not any time soon. [Murray] Otherwise reputable computer scientists have argued against electronic voting, in part because they project all the problems of general purpose open and flexible computers onto the application. Their arguments have been so successful that there is little chance of wide-scale electronic voting in the US. The conflicting goals of transparency, accountability, and voter secrecy make it a very difficult problem. However, one might argue that it is not that much more difficult than electronic banking. Election officials should watch the Estonian experience carefully. The next generation is likely to find our reliance on paper ballots somewhat quaint. [Williams] Though this article compares Estonian evoting to US electronic voting machines, there are some key differences. Evoting in Estonia requires a smart ID card to implement nonrepudiation of any particular vote. A side effect of this is that the government can track how individual voters cast their ballots in elections. For better or worse, the US has a strong conviction that voting should be anonymous. This is a great real-world example of a functional requirement limiting security choices. [Honan] "With Internet voting, there's a single piece of software that can be controlled" either by those who are authorised to do so or by attackers. Read more in: Irish Examiner: World's most hi-tech voting system raises cyber defences http://www.irishexaminer.com/business/worlds-most-hi-tech-voting-system-raises-cyber-defences-455138.htmlWhy Cyber Deterrence Won't Work (July 19, 2017)
In a series of academic papers, Dr. Richard Harknett, professor and head of the Political Science Department at the University of Cincinnati, argues that cyber deterrence has not been effective in the past and will likely not be effective in the future. Harknett says, "Deterrence does not map to the realities of cyberspace as an operational environment. It is an environment of constant action, while the measure of effectiveness of deterrence is the absence of action." Instead, says Harknett, "A strategy of cyber persistence, in which security is sought through anticipatory behavior across the full range of operations... will better position the U.S. to shape cyberspace toward both more secure contexts and less aggressive behaviors." [Editor Comments] [Murray] If what Harknett refers to as "deterrence" is "cyber" threat based deterrence, then I agree. We need good "cyber" defense and cultural, political, and criminal sanctions as deterrence. [Williams] Reliable attribution is a requirement for cyber deterrence. True deterrence requires that aggressors in cyberspace believe that there will be consequences for their actions. But cyber retaliatory strikes require the certainty that the correct party is being targeted - something that is far from certain in nearly every cyber attack today. Read more in: Fifth Domain: Meet the scholar challenging the cyber deterrence paradigm http://www.fifthdomain.com/home/2017/07/19/meet-the-scholar-challenging-the-cyber-deterrence-paradigm/Michele Guel on Women in Cyber Security (July 24, 2017)
Michele Guel, a Cisco Distinguished Engineer and Chief Security Architect in Cisco's Security and Trust Organization, is also a co-founder, along with Cypriane Palma, of Cisco's Women in Cybersecurity Community. The organization focuses on education, outreach, leadership and coaching, and community events that build and support inclusion. Guel says that it's also important to start educating young women about careers in STEM and cyber security in middle school. [Editor Comments] [Pescatore] Michele is one of many great female role models in cybersecurity. I agree with her - about 30% of the IT workforce are women, so the 10% figure for IT security is way low. SANS sponsors SANS At Night sessions at our training conferences for many of the groups mentioned, and in 2014 gave a SANS Difference Makers award to HP and ACSA for funding Scholarships for Women Studying Information Security. [Paller] When SANS was getting started 25 years ago, Michele did more than any other person to ensure SANS courses provided all the technical content high performance cybersecurity practitioners need. We are very, very excited to see the recognition she received as 2016 Anita Borg Institute Women of Vision award winner (https://anitaborg.org/profiles/abie-award-winners/leadership/michele-d-guel/) and also the growth of her Women in Cybersecurity program. It was Michele, along with a few other women who led the way in cybersecurity, who motivated us to invest in the CyberTalent Immersion Academy for Women https://www.sans.org/media/cybertalent/Womens-Brochure.pdf. [Murray] The problem is not so much that we fail to educate early but that we "turn off" early. "Everything in the universe is inherently interesting. There are only boring models, lessons, and teachers. The last thing we are turned off to determines our career." -Ted Nelson Read more in: Forbes: No Longer The Only Woman In The Room: Lessons From Cisco's Michele Guel https://www.forbes.com/sites/georgenehuang/2017/07/24/no-longer-the-only-woman-in-the-room-lessons-from-ciscos-michele-guel/#57db33154528 *************************** SPONSORED LINKS ***************************** 1) Don't Miss: "Win The Cyberwar With Zero Trust" Register Here: http://www.sans.org/info/196825 2) Machine Learning: Practical Applications for Cyber Security. Learn More: http://www.sans.org/info/196845 3) See how your efforts to keep the cloud secure for business compare. | Take the SANS Cloud Security Survey | Remain anonymous or enter your name to win a $400 gift certificate. http://www.sans.org/info/196840 ***************************************************************************THE REST OF THE WEEK'S NEWS
Re(hab) Boot Camp for Teenaged Hackers (July 25, 2017)
The UK's National Crime Agency has sent seven young people who had committed cyber crimes to a camp that hopes to redirect their abilities in a positive direction. The pilot program was held in Bristol earlier this month. The participants will be monitored to see in what direction they take their skills. If the program proves successful, it could be expanded. [Editor Comments] [Neely] These are talented hackers who could be a real asset to the cyber security community, the challenge will be helping them focus their skills throughout their careers. Solving that problem could be a huge win for all of us. [Honan] Great initiative by the UK government and backs up a lot of what was outlined in the UK's National Crime Agency's report "Pathways into Cyber Crime" http://www.nationalcrimeagency.gov.uk/publications/791-pathways-into-cyber-crime/file Read more in: BBC: Rehab camp aims to put young cyber-crooks on right track http://www.bbc.com/news/technology-40629887IARPA's Homomorphic Encryption Computing Techniques with Overhead Reduction Program (July 24, 2017)
In an audio interview, Dr. Mark Heiligman, program manager for the Homomorphic Encryption Computing Techniques with Overhead Reduction (HECTOR) program at the US Intelligence Advanced Research Projects Activity (IARPA) describes the goals of the program. IARPA is holding a Proposers' Day Conference on Wednesday, July 26 to provide interested parties with information about the program. Read more in: FNR: Dr. Mark Heiligman: Intelligence community pursues HECTOR https://federalnewsradio.com/federal-drive/2017/07/dr-mark-heiligman/ IARPA: Homomorphic Encryption Computing Techniques with Overhead Reduction (HECTOR) https://www.iarpa.gov/index.php/research-programs/hectorMan Admits to Hacking Deutsche Telekom Routers (July 21 & 24, 2017)
A British man has admitted to launching an attack against routers belonging to Deutsche Telekom last year. The attack infected roughly 900,000 Deutsche Telekom routers with Mirai. The man was arrested at a London airport in February 2017). He has pleaded guilty in German court to attempted computer sabotage. Read more in: SC Magazine UK: Mirai Botmaster behind Deutsche Telekom router hijack pleads guilty https://www.scmagazineuk.com/mirai-botmaster-behind-deutsche-telekom-router-hijack-pleads-guilty/article/676906/ The Register: Briton admits to router hack that DDoSed Deutsche Telekom http://www.theregister.co.uk/2017/07/24/deutsche_telekom_brit_in_court/ The Guardian: Briton admits to cyber-attack on Deutsche Telekom https://www.theguardian.com/world/2017/jul/21/briton-admits-to-cyber-attack-on-deutsche-telekom-courtGoogle Implements Stronger Warnings for Unverified Apps (July 19 & 21, 2017)
People using G-suite applications, including Gmail and Google Docs, will see bolder warnings each time they try to interact with new or unverified web apps. The warnings will appear before the permissions consent screen, and will include information about the risks to their personal data if they continue to use an unverified app. [Editor Comments] [Pescatore] The success of the iPhone proved very quickly that the vast majority of users did not want and did not need unlimited choice of applications. Users have consistently preferred app stores with a large number of safe applications over jailbreaking/sideloading to install random apps - just as most buyers of SUVs choose to ride on paved roads, even though their 4WD vehicle can (theoretically) survive taking an offroad, unpaved more direct route. Making it more difficult for most users to avoid unexamined apps and scripts is a good thing. Read more in: eWeek: Google Strengthens Protections Against Unverified Web Apps http://www.eweek.com/security/google-strengthens-protections-against-unverified-web-apps Google Blog: New security protections to reduce risk from unverified apps https://developers.googleblog.com/2017)/07/new-security-protections-to-reduce-risk.htmlWhite Paper from Telecom Lobbyists Downplays SS7 Security Risks (July 19, 2017)
A lobby group representing Verizon, AT&T, and other wireless carriers has sent a white paper to members of congress and the Department of Homeland Security (DHS) urging them to "reject [a DHS] report's call for greater regulation" and maintaining that the risks posed by SS7 outlined in the DHS report are "theoretical." Experts disagree. [Editor Comments] [Williams] Virtually all experts agree that SS7 vulnerabilities are a serious problem but a lobbying group for the telecom groups disagrees? Color me surprised... These are not theoretical attacks, they have almost certainly been used by adversaries at this point in time. When the telecom industry says there is "no evidence that real world SS7 attacks have occurred" it is important to understand this is a half truth. They are not currently instrumented to discover such attacks and absent legislation forcing such instrumentation (and monitoring) they have no incentive to change the status quo. [Murray] SS7 is more than forty years old. While there are some vulnerabilities, It is significantly more resistant to tampering, interference, or compromise than the in-band signaling that it replaced. Widely deployed and used, it has been the source of little problem. Moreover, it is an international standard, better regulated by its users and operators than by governments. Read more in: Motherboard: Telecom Lobbyists Downplayed 'Theoretical' Security Flaws in Mobile Data Backbone https://motherboard.vice.com/en_us/article/7x9q8y/telecom-lobbyists-downplayed-theoretical-security-flaws-in-mobile-data-backboneCarnegie Mellon University Study Finds Most Home Routers Are Lemons (July 17, 2017)
A US Department of Defense (DoD) funded study from Carnegie Mellon University found that nearly all home routers are rife with security problems. They are "notorious for their web interface vulnerabilities" and other security issues, and they are not frequently updated. The study analyzed 13 routers from a variety of manufacturers. When the researchers found vulnerabilities, they contacted the manufacturers, giving them 45 days to release a patch, after which they would release vulnerability details. Most manufacturers responded slowly if at all. Among the suggestions for addressing the router security issue is to focus not on the number of flaws found in devices, but on the responsiveness of vendors in providing fixes. [Editor Comments] [Pescatore] You could do a block replace of "home routers" with "all consumer devices with software" in this article. In the US, the Consumer Product Safety Commission is tasked with protecting consumers from "unreasonable risks of injury or death associated with the use of the thousands of types of consumer products under the agency's jurisdiction" but has yet to focus on the safety aspects of the software in consumer products. Earlier this year, the Federal Trade Commission launched a "Home Inspector Challenge" to design a device consumers could use at home to monitor and automatically update all devices on their network. The initial set of 20 contestants is due to be announced this week. [Neely] I believe the model for this marketplace is not one of patching but rather replacement. Vendors are very busy delivering the newest "shiny" features for the home market rather than updating existing products. When updates are available, applying them typically falls to the consumer. Automatic application of updates is only a partial fix. The fixes need to not only be delivered in a timely fashion, nut also commensurate with a reasonable product lifecycle. This won't happen without consumer demand, which means they need to become aware of the problem. [Murray] One might hope that "researchers" would spend as much effort on solutions as they do on admiring the problem and casting the blame for it on others. That said, the attack surface of a "thing," device, or appliance should be as narrow as its application rather than as wide as an open and programmable computer. [Northcutt]: Home, small business routers, have vulnerabilities. This is certainly not news. However, the report, (URL below), is straightforward and recommended reading. I noted that the router I have in my home has more open ports than any of the others tested; the good news is that the ports are filtered. The vulnerabilities in table 5 are also worth looking at. [Honan] Unfortunately this issue is not going to be unique to router manufacturers but will be, and already is, a big concern with manufacturers of Internet of Things. Read more in: GovInfoSecurity: Consumer Routers Report Concludes: It's a Market of Lemons http://www.govinfosecurity.com/blogs/consumer-routers-report-concludes-its-market-lemons-p-2514 CMU: Systemic Vulnerabilities in Customer Premises Equipment (CPE) Routers (PDF) http://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_502618.pdfColorado Now Requires Regular Risk-Limiting eVoting Audits (July 17, 2017)
Colorado has become the first US state to require risk-limiting audits to be conducted regularly. Risk-limiting audits compare a random sample of paper ballots with their corresponding digital ballots to see if votes were correctly tabulated. Read more in: The Hill: Colorado hires startup to help audit digital election results http://thehill.com/policy/cybersecurity/342352-colorado-hires-startup-to-help-audit-digital-election-results Politico: Colorado to require advanced post-election audits http://www.politico.com/story/2017/07/17/colorado-post-election-audits-cybersecurity-240631INTERNET STORM CENTER TECH CORNER
Malicious .iso Attachments
https://isc.sans.edu/forums/diary/Malicious+iso+Attachments/22636/Maldoc with .lnk File
https://isc.sans.edu/forums/diary/Another+lnk+File/22640/Large Ethereum Hack
http://hackingdistributed.com/2017/07/22/deep-dive-parity-bug/Uber Drivers Targeted in Social Engineering Scam
https://isc.sans.edu/forums/diary/Uber+drivers+new+threat+the+passenger/22626/Mac Malware FruitFly2
https://motherboard.vice.com/en_us/article/zmv79w/mysterious-mac-malware-has-infected-hundreds-of-victims-for-yearsExploit Released for Critical Netscaler SD WAN 9.1.2 Vulnerability
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6316***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create