SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #64
August 15, 2017TOP OF THE NEWS
"No Such Thing as War in Cyber"
Google Brings Phishing Detection to Gmail for iOS
With November's Firefox 57, Mozilla Bids Farewell to Legacy Add-Ons
THE REST OF THE WEEK'S NEWS
Hutchins Pleads Not Guilty in Milwaukee Court
Guccifer Seeks to Avoid Extradition to US
US State Department Established New Cyber Security Office in May
Karen Evans on Cybersecurity Professionals Shortage
Faulty Update Renders Locks Unusable
Study: Stingray Detection Apps Can Be Circumvented
US Army Initiative to Standardize IT
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk *******************************Learn How to Quickly Analyze Login Activity With Splunk: Let us take you step-by-step through a security investigation (http://www.sans.org/info/197395) to identify potential malicious login activity to determine if deeper investigation is required. Start with a demo video then perform the investigations yourself in a live, preconfigured Splunk instance to investigate and visualize patterns and sequences to determine how to remediate a threat. http://www.sans.org/info/197400
***************************************************************************TRAINING UPDATE
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017
-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017
-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017
-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017
-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017
-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017
-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017
-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017
-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017
-- SANS OnDemand and vLive Training | Online Training Special: Get an iPad, Samsung Galaxy Tab A, or take $250 Off with OnDemand or vLive Training â ends August 16. Top-tier training without the travel. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast â https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive â https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format â https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
TOP OF THE NEWS
--"No Such Thing as War in Cyber" (August 11, 2017)
General John Hyten, head of US Strategic Command, told an audience at the annual Space and Missile Symposium in Huntsville, Alabama last week that "there's no such thing as war in cyber; there's just war," and that "we have to figure out how to defeat our adversaries, not to defeat the domains where they operate."Read more in: Fifth Domain: Gen. Hyten: 'No such thing as war in cyber'
https://www.fifthdomain.com/dod/2017/08/11/gen-hyten-no-such-thing-as-war-in-cyber/
--Google Brings Phishing Detection to Gmail for iOS (August 10 & 14, 2017)
Google has introduced anti-phishing security measures for Gmail on iOS devices. Google already rolled out the feature to Android devices several months ago. Users will see warnings when they click on links deemed suspicious in Gmail messages. If a user clicks on a link known to be malicious, the warning will be even more strongly worded. The feature will be rolled out to iOS Gmail users over the next two weeks.[Editor Comments]
[Neely] Both the 2016 and 2017 SANS Threat Landscape Surveys found phishing, including spearphishing and whaling, was the top way threats enter organizations. While the most common response to reduce the risk is enhanced user training, technical countermeasures are also needed. Google added anti-phishing features to Gmail earlier this year and are now extending them to the mobile user. In order to get these features on your mobile device, you have to be using the Gmail app, not the native mail application.
Read more in: SC Magazine: Google rolling out Gmail anti-phishing feature to iOS devices
https://www.scmagazine.com/google-rolling-out-gmail-anti-phishing-feature-to-ios-devices/article/681529/
G Suite Updates: Anti-phishing security checks in the Gmail app for iOS
https://gsuiteupdates.googleblog.com/2017/08/anti-phishing-security-checks-in-gmail.html
--With November's Firefox 57, Mozilla Bids Farewell to Legacy Add-Ons (August 10 & 14, 2017)
Mozilla has announced that starting with Firefox 57, which is scheduled for release on November 14, the browser will no longer support legacy add-ons. Instead, Firefox 57 and following versions will support only new add-ons built on WebExtensions SDK.[Editor Comments]
[Murray] With e-mail, the browser remains the Achilles Heel of the desktop, the desktop the weak point in the enterprise, and the enterprise the vulnerability of the infrastructure. We need to re-think e-mail clients and browsers. In the meantime, in a world of cheap hardware, we should isolate them from mission critical and otherwise sensitive applications.
[Neely] To increase the security of Firefox extensions, Mozilla changed the functions and interface, which will provide better security by closing access to functions that could be used to reduce security or privacy. There is also an intent to be standards based in alignment with W3C, which will make cross-browser extension development easier. Strict versioning within the extensions will help determination of compatibility, and while the number of updated add-ons continues to grow, only 20% have been updated.
Read more in: Bleeping Computer: Mozilla Will Kill Legacy Firefox Add-Ons in Exactly Three Months
https://www.bleepingcomputer.com/news/software/mozilla-will-kill-legacy-firefox-add-ons-in-exactly-three-months/
The Register: Old Firefox add-ons get 'dead man walking' call
https://www.theregister.co.uk/2017/08/14/firefox_57_to_disable_all_extensions/
Mozilla: Mozilla Add-ons Blog: Upcoming Changes in Compatibility Features
https://blog.mozilla.org/addons/2017/08/10/upcoming-changes-compatibility/
*************************** SPONSORED LINKS ******************************** 1) Need to improved efficiency, availability and security? IDC measures benefits of switching to Forcepoint NGFW http://www.sans.org/info/197405
2) Dave Shackleford talks about how automated threat analysis is key to turning millions of raw data points into actionable intelligence. http://www.sans.org/info/197410
3) Three strategies Avidia Bank implemented to shut out sophisticated threats and how you can apply them to protect your own organization. http://www.sans.org/info/197415
******************************************************************************
THE REST OF THE WEEK'S NEWS
--Hutchins Pleads Not Guilty in Milwaukee Court (August 14, 2017)
Marcus Hutchins has pleaded not guilty to conspiracy to commit computer fraud and five other charges in a Milwaukee, Wisconsin court. Hutchins, who is from the UK, was arrested in Las Vegas on August 2. He is free on bail, but has been ordered to surrender his passport. Hutchins has been granted permission to live in Los Angeles and travel within the US while awaiting trial. He was also granted access to the Internet and permission to continue his work. The terms of his release forbid him from accessing the server he used to sinkhole WannaCry earlier this year. The charges to which Hutchins pleaded not guilty stem from his alleged involvement with malware known as Kronos. A trial has been set for October.Read more in:
BBC: NHS cyber-defender Marcus Hutchins pleads not guilty in US
http://www.bbc.com/news/technology-40923065
Fifth Doman: British cybersecurity expert pleads not guilty to US charges, gets computer access
https://www.fifthdomain.com/civilian/fbi-doj/2017/08/14/british-cybersecurity-expert-pleads-not-guilty-to-us-charges/
Motherboard: Researcher Who Stopped WannaCry Pleads Not Guilty to Creating Banking Malware
https://motherboard.vice.com/en_us/article/evvn8k/malwaretech-marcus-hutchins-not-guilty-plea
--Guccifer Seeks to Avoid Extradition to US (August 11 & 14, 2017)
The person who identifies online as Guccifer is trying to avoid extradition to the United States to serve a 52-month sentence for unauthorized access to a computer and aggravated identity theft. Marcel Lehel Lazar is currently in prison in Romania serving a seven-year sentence for separate crimes. Once that sentence is complete, Lazar is scheduled to be sent to the US to serve a 52-month sentence. He is asking a Romanian court to allow him to serve that sentence in Romania instead. Lazar pleaded guilty in US court in May 2016, but was returned to Romania to serve out a prison sentence there.Read more in:
SC Magazine: Guccifer looks to avoid extradition to U.S., claims State Dept. is Guccifer 2.0
https://www.scmagazine.com/guccifer-wants-to-serve-us-sentence-in-romania-claims-state-dept-behind-guccifer-20/article/681539/
The Hill: Hacker Guccifer trying to avoid extradition to US
http://thehill.com/policy/cybersecurity/346224-hacker-that-struck-politicos-in-2013-asks-not-to-be-extradited-to-the-us
--US State Department Established New Cyber Security Office in May (August 7 & 14, 2017)
In late May, the US State Department established a new cybersecurity office, the Cyber and Technology Security (CTS) Directorate, within the Diplomatic Security Service. The new directorate "provides advanced cyber threat analysis, incident detection and response, cyber investigative support, and emerging technology solutions." CTS does not appear to have a web presence.[Editor Comments]
[Murray] Interesting but these provisions are all things that operate late. The problems in government are early, i.e., 1) policy, including risk tolerance, 2) management supervision and direction, 3) user training and awareness, 4) identification and (strong) authentication, 5) access control and administration, 6) variance recognition, identification, and remediation. These are things that are preventative and operate early.
Read more in:
The Hill: State Department quietly establishes new cybersecurity office
http://thehill.com/policy/cybersecurity/346499-state-department-quietly-establishes-new-cyber-office
FNR: Despite concerns over cyber diplomacy, State works to align internal efforts
https://federalnewsradio.com/reporters-notebook/2017/08/despite-concerns-over-cyber-diplomacy-state-works-to-align-internal-efforts/
--Karen Evans on Cybersecurity Professionals Shortage (August 14, 2017)
US Cyber Challenge Director and former White House IT official Karen Evans talks with Tom Temin about the US Cyber Challenge and about ways to help address the shortage of qualified cybersecurity professionals.Read more in:
FNR: Karen Evans: Are there enough cyber experts to go around?
https://federalnewsradio.com/federal-drive/2017/08/karen-evans/
--Faulty Update Renders Locks Unusable (August 14, 2017)
A misdirected update caused certain Internet-connected locks to fail. The update for LockState 7000i locks was mistakenly sent to the LockState 6000i. The update caused a fatal error in roughly 500 locks, leaving them unable to be locked and unable to receive wireless updates. Customers can still use keys to lock and unlock the doors.[Editor Comments]
[Williams] When considering implementing "smart" devices, consider how your organization will function if these devices suddenly become dumb devices. This is basic disaster recovery planning, but many organizations ignore it.
Read more in:
Ars Technica: Update gone wrong leaves 500 smart locks inoperable
https://arstechnica.com/information-technology/2017/08/500-smart-locks-arent-so-smart-anymore-thanks-to-botched-update/
Threatpost: Smart Locks Bricked By Bad Update
https://threatpost.com/smart-locks-bricked-by-bad-update/127427/
--Study: Stingray Detection Apps Can Be Circumvented (August 14, 2017)
Researchers from Oxford University and the Technical University of Berlin tested five Android mobile apps that claim to be able to detect when the device connects to a cell-site simulator, or Stingray. While the apps were able to detect when service had been forcibly downgraded and when they received silent messages that are used for geolocation, the researcher were able to use other methods to evade detection and trick the devices into providing their information.Read more in:
Wired: Those Free Stingray-Detector Apps? Yeah, Spies Could Outsmart Them
https://www.wired.com/story/stingray-detector-apps/
ZDNet: Those 'stingray' detector apps are basically useless, say researchers
http://www.zdnet.com/article/stingray-detector-apps-andorid-basically-useless-research/
Study: White-Stingray: Evaluating IMSI Catchers Detection Applications (PDF)
http://www.cs.ox.ac.uk/files/9192/paper-final-woot-imsi.pdf
--US Army Initiative to Standardize IT (August 11, 2017)
The US Army has launched an effort to standardize hardware and software across more than 400 units. The initiative aims to facilitate a commonality between the Army, Reserve, and National Guard units. The standardization will simplify patching and upgrades, and will make it easier for soldiers to move from one unit to another.[Editor Comments]
[Northcutt] Whenever you have policy, process or standards, you have to be wary of the requests for exceptions. The Army, in fact, all DoD is more standardized than the article leads one to believe at first read:
http://www.hnc.usace.army.mil/Media/Fact-Sheets/Fact-Sheet-Article-View/Article/482105/military-integration-division-center-of-standardization/
http://www.dsp.dla.mil/Portals/26/Documents/Publications/Journal/161001-DSPJ-01.pdf
http://jitc.fhu.disa.mil/jitc_dri/pdfs/i46308.pdf
Read more in:
Defense Systems: Army standardizes IT components, software across 400 units
https://defensesystems.com/articles/2017/08/11/army-software.aspx
INTERNET STORM CENTER TECH CORNER
Outlook Web Access Based Attacks
https://isc.sans.edu/forums/diary/Outlook+Web+Access+based+attacks/22710/The Good Phishing Email
https://isc.sans.edu/forums/diary/The+Good+Phishing+Email/22712/Git/CVS/Mercurial and others: ssh vulnerability
http://blog.recurity-labs.com/2017-08-10/scm-vulnsPostgresql Vulnerabilities
https://bugzilla.redhat.com/show_bug.cgi?id=1477185When A Malicious Looking E-Mail Turns Out to be "just" spam
https://isc.sans.edu/forums/diary/Sometimes+its+just+SPAM/22716/Android iOS Intra-Library Collusion
https://arxiv.org/abs/1708.03520SonicSpy: Android Spyware Apps
https://blog.lookout.com/sonicspy-spyware-threat-technical-researchChecking for Breached Passwords in Active Directory
https://jacksonvd.com/checking-for-breached-passwords-in-active-directory/***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
