SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #65
August 18, 2017TOP OF THE NEWS
Cybersecurity: The Hottest New Major In College
Not Enough Hands-On, Security Training in College
International Programming Olympiad Coach: U.S. Computer Science Education Shortchanges US Students
THE REST OF THE WEEK'S NEWS
Legislators Call for Investigation into FCC's Claim It Was DDoSed
Car Safety Vulnerability Lies in the Way CAN Handles Error Messages
ShadowPad Supply Chain Attack Affects NetSarang Software
Tech Companies File Amici Brief in Support of Warrants for Cell Phone Data
Maersk Details NotPetya Losses
Ukrainian Hacker is Now FBI Witness
Carnegie Mellon CERT's Guide to Coordinated Vulnerability Disclosure
NIST Releases Security and Privacy Controls Draft
Eight Chrome Extensions Hijacked
Cyberespionage Group Targeting US Defense Companies
Malicious PowerPoint Delivered in Spear Phishing Campaign Infected Machines with RAT
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Barkly *******************************Ransomware continues to experience record growth in 2017. Traditional solutions aren't enough and can't keep up with hundreds of thousands of new malware versions created daily. In this webcast, you will learn the three strategies Avidia Bank implemented to shut out today's sophisticated threats and how you can apply them to protect your own organization: Register: http://www.sans.org/info/197610
***************************************************************************TRAINING UPDATE
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017
-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017
-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017
-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017
-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017
-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017
-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017
-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017
-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017
-- SANS OnDemand and vLive Training | Get an iPad Pro (10.5") with Smart Keyboard, an HP Chromebook 13 G1 or take $350 Off OnDemand or vLive Training when you register by August 30! https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
TOP OF THE NEWS
--Cybersecurity: the Hottest New Major In College August 15, 2017
Large numbers of US colleges have added undergraduate cybersecurity majors, cybersecurity concentrations to other majors, and master's degree programs in cybersecurity. Most colleges, however, do not know what to teach, and many are teaching students only how to admire the cybersecurity problem, but not how to fix it. Further, computer science graduates don't learn secure coding or other technical cybersecurity topics. None of the top ten undergraduate computer science and engineering programs at American universities (as ranked by the U.S. News & World Report) required its students to take a cybersecurity course in order to graduate.Read more in:
https://www.villagevoice.com/2017/08/15/how-cybersecurity-became-2017s-hot-new-major/
--Not Enough Hands-On, Security Training in College (August 17, 2017)
According to a survey from Veracode, 70 percent of DevOps specialists say they did not receive adequate hands-on training while in college. Most said that they did the majority of their practical learning on the job. The DevSecOps Global Skills Survey comprises responses from 400 DevOps professionals from around the world. Eighty percent of those responding said they did not have adequate cybersecurity skills when entering the workforce. And 85 percent say they are somewhat or not at all prepared to deliver software as quickly as DevOps usually required.Read more in: Dark Reading: 70% of DevOps Pros Say They Didn't Get Proper Security Training in College
http://www.darkreading.com/application-security/70--of-devops-pros-say-they-didnt-get-proper-security-training-in-college/d/d-id/1329654?
--USA Computing Olympiad Coach: U.S. Computer Science Education Shortchanges American Students
Dr. Rob Kolstad, who coached the USA teams in the International Computing Olympiad for 20 years, explains how US computer science education has gone off track, why and how Russia's students are much better prepared to excel in cybersecurity, and approaches to turning the situation around.Read more in:
https://www.sans.org/cyberskills/Kolstad-Report-2017.pdf
*************************** SPONSORED LINKS ******************************** 1) NSS Labs finds many NGFWs are vulnerable to evasions. Test your firewall defenses against Evasions http://www.sans.org/info/197615
2) Dave Shackleford talks about how automated threat analysis is key to turning millions of raw data points into actionable intelligence. http://www.sans.org/info/197620
3) Join John Pescatore & E8 Security to learn how studying the behavior of people and machines shows what's normal and what may pose a risk to your organization. http://www.sans.org/info/197625
******************************************************************************
THE REST OF THE WEEK'S NEWS
--Legislators Call for Investigation into FCC's Claim It Was DDoSed (August 17, 2017)
Two US legislators are calling for an independent investigation into the Federal Communications Commission's (FCC's) claim that it suffered a distributed denial-of-service (DDoS) attack in early May. The FCC has not released documentation of the attack, leading legislators to question "the state of cybersecurity at the FCC - questions that warrant an independent review."Read more in:
Ars Technica: FCC's claim that it was hit by DDoS should be investigated, lawmakers say
https://arstechnica.com/information-technology/2017/08/democrats-want-investigation-of-net-neutrality-comment-system-outage/
FCW: Dems want more data on FCC DDoS attacks
https://fcw.com/articles/2017/08/17/fcc-ddos-congress-mazmanian.aspx
Nextgov: Dems Want Proof FCC Net Neutrality Page Was Actually Attacked
http://www.nextgov.com/cybersecurity/2017/08/dems-want-proof-fcc-net-neutrality-page-was-actually-attacked/140329/?oref=ng-channeltopstory
The Hill: Dems want independent probe into FCC cyberattack
http://thehill.com/policy/technology/346999-dems-call-for-independent-investigation-into-fccs-cyberattack-response
Senate: Letter requesting Investigation (PDF)
https://www.schatz.senate.gov/imo/media/doc/Letter_GAO%20FCC%20Cybersecurity.pdf
--Car Safety Features Lies in the Way CAN Handles Error Messages (August 16 & 17, 2017)
A vulnerability in the Controller Area Network (CAN) that exists in most new automobiles could be exploited to shut down components of the car, including safety systems. Any component connected to the car's CAN bus could be affected. The issue is not one that can simply be patched because it lies in the CAN bus messaging protocol standard. Components that send too many error messages are disconnected from the CAN, so if attackers can spoof error messages to appear to be coming from a targeted component, that component could be shut off from the CAN.[Editor Comments]
[Neely] To attempt this attack, you have to be connected to the CAN. CAN was designed in 1983 as a stand-alone network; modern electronics have added entry points such as Bluetooth or Wi-Fi. The CAN bus wasn't designed for a flood of error messages; quite the contrary, that's the criterion to indicate a defective component and shut it down to protect the vehicle. While introduction of an IDS/IPS to the CAN could detect an attack, and maybe stop it, it would be hard to tell the difference between an attack and a legitimate malfunctioning component. This reinforces the need for an updated CAN standard designed with more isolation and security necessitated by modern connected components and corresponding threats.
[Northcutt] Once an attacker accesses the CAN it is game over. A big question is how do they access it, but every security professional needs to understand the basics. I recommend this paper as a start: https://www.sans.org/reading-room/whitepapers/threats/hacking-bus-basic-manipulation-modern-automobile-through-bus-reverse-engineering-37825 Read more in:
Wired: A Deep Flaw in Your Car Lets Hackers Shut Down Safety Features
https://www.wired.com/story/car-hack-shut-down-safety-features/
Bleeping Computer: Unpatchable Flaw Affects Most of Today's Modern Cars
https://www.bleepingcomputer.com/news/security/unpatchable-flaw-affects-most-of-todays-modern-cars/
ZDNet: How secure is your car? Unpatchable flaw lets attackers disable safety features
http://www.zdnet.com/article/how-secure-is-your-car-unpatchable-flaw-lets-attackers-disable-safety-features/
--ShadowPad Supply Chain Attack Affects NetSarang Software (August 15, 16, & 17, 2017)
Kaspersky Lab has detected a backdoor in server management software that is used by hundreds of companies around the world. The backdoor, dubbed ShadowPad, lets attackers download additional malware modules and steal information. NetSarang, which makes the affected software, has addressed the issue. Kaspersky was alerted to ShadowPad when one of its customers noticed suspicious DNS requests originating from a system that is used to process financial transactions. ShadowPad was active between July 17 and August 4, 2017.[Editor Comments]
[Williams] Would your monitoring team would have caught this backdoor? It was stealthy; most in-house monitoring teams would not have caught it. It was active for almost a month before being detected. The damage goes beyond the backdoor being present. Did the attackers move laterally? Exfiltrate data? Table top exercises can help you walk through your response to a similar threat.
Read more in:
Threatpost: Attackers Backdoor Another Software Update Mechanism
https://threatpost.com/attackers-backdoor-another-software-update-mechanism/127452/
Kaspersky: ShadowPad: Attackers Hid Backdoor in Software Used by Hundreds of Large Companies Worldwide
https://usa.kaspersky.com/about/press-releases/2017_shadowpad-attackers-hid-backdoor-in-software-used-by-hundreds-of-large-companies-worldwide
Cyberscoop: Bad backdoor found in server software used by financial institutions
https://www.cyberscoop.com/shadowpad-backdoor-netsarang-kaspersky-hong-kong/?category_news=technology
SC Magazine: 'ShadowPad' attack sabotaged NetSarang software with backdoor
https://www.scmagazine.com/shadowpad-attack-sabotaged-netsarang-software-with-backdoor/article/682295/
--Tech Companies File Amici Brief in Support of Warrants for Cell Phone Data (August 15 & 16, 2017)
More than a dozen US tech companies filed an amici brief with the US Supreme Court, voicing their support for strong privacy protections and requiring law enforcement to obtain warrants to access certain data from mobile phones. The brief says that law enforcement currently relies on outdated laws to obtain the warrants, which violate the Fourth Amendment.[Editor Comments]
[Neely] Contrast this to the new feature in iOS 11 which will allow you to discretely and quickly disable TouchID, as well as disabling the reported new facial recognition to unlock the device, alleviating fears over access to devices without entering a passcode. This allows some added access control and mitigates the risk of fake or duplicated biometrics.
Read more in:
Wired: Verizon-Yes, Verizon-Just Stood Up for Your Privacy
https://www.wired.com/story/verizon-privacy-location-data-fourth-amendment/
Law.com: Tech Giants File Amici Brief in Supreme Court Case Over Cellphone Data
http://www.law.com/sites/almstaff/2017/08/15/tech-giants-file-amici-brief-in-supreme-court-case-over-cellphone-data/?slreturn=20170718001355
ACLU: Brief for Technology Companies as Amici Curiae... (PDF)
https://www.aclu.org/sites/default/files/field_document/no._16-402_ac_technology_companies_0.pdf
--Maersk Details NotPetya Losses (August 16, 2017)
Shipping company Maersk says that the NotPetya malware attack earlier this summer will ultimately cost it hundreds of millions of dollars in losses due to "significant business interruption." Maersk accounts for nearly 15 percent of all worldwide shipping.[Editor Comments]
[Pescatore] I'm always suspicious of publicly traded companies estimates of losses due to significant events, (especially for, but not just, cyber attacks) but let's do the math: the three business units of Maersk impacted by NotPetya did about $7.7B in revenue in Q2 2017, with a profit of $239M or 3%. The NotPetya impact estimate would pretty much wipe out an entire quarter of profit - definitely a Board of Directors attention-getter. What I hope the Board really focuses on is that the article quotes the CEO as saying, "he learned that there was nothing that could have been done to stop the attack" - even though many of Maersk's direct competitors managed to do just that.
Read more in:
The Register: NotPetya ransomware attack cost us $300m - shipping giant Maersk
http://www.theregister.co.uk/2017/08/16/notpetya_ransomware_attack_cost_us_300m_says_shipping_giant_maersk/
Threatpost: Maersk Shipping Reports $300m Loss Stemming from Notpetya Attack
https://threatpost.com/maersk-shipping-reports-300m-loss-stemming-from-notpetya-attack/127477/
--Ukrainian Hacker is Now FBI Witness (August 16, 2017)
A Ukrainian man who turned himself into police in that country earlier this year has become a witness for the FBI. The hacker, known only by his online handle of Profexer, wrote code that was used in cyberattacks against US, believed to be perpetrated by Russia.Read more in:
NYT: In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking
https://www.nytimes.com/2017/08/16/world/europe/russia-ukraine-malware-hacking-witness.html
Ars Technica: Ukraine malware author turns witness in Russian DNC hacking investigation
https://arstechnica.com/gadgets/2017/08/ukraine-malware-author-turns-witness-in-russian-dnc-hacking-investigation/
Bob Sullivan: Ukrainian malware programmer said to be cooperating with U.S. on Russia election hacking probe
https://bobsullivan.net/cybercrime/ukrainian-malware-programmer-said-to-be-cooperating-with-u-s-on-russia-election-hacking-probe/
The Hill: Ukraine hacker cooperating with FBI in Russia probe: report
http://thehill.com/policy/cybersecurity/346864-ukrainian-hacker-cooperating-with-fbi-in-russian-hacking-probe-report
--Carnegie Mellon CERT's Guide to Coordinated Vulnerability Disclosure (August 16, 2017)
Carnegie Mellon University's Software Engineering Institute at the CERT Coordination Center has published a guide to vulnerability disclosure. It is "not a technical document," says report co-author Art Manion, but rather, it "is about a very human process. What should you do when you find a vulnerability? Who do you tell? What should that person do?"[Editor Comments]
[Pescatore] A well-written document if you are looking to read an 88 page description of "responsible disclosure" renamed "Coordinated Vulnerability Disclosure." Or just read the 27 pages Steve Christey and Chris Wysopal wrote in 2002 "Responsible Vulnerability Disclosure Process" - which still ring true today, and is reference 18 in the looong CMU document.
Read more in:
Cyberscoop: This one matters, too: Carnegie Mellon issues guide to disclosing software vulnerabilities responsibly
https://www.cyberscoop.com/carnegie-mellon-sei-cert-vulnerability-disclosure/?category_news=technology
CMU: The CERT Guide to Coordinated Vulnerability Disclosure
https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=503330
--NIST Releases Security and Privacy Controls Draft (August 15 & 16, 2017)
The US National Institute of Standards and Technology (NIST) has released Draft Special Publication 800-53: Security and Privacy Controls for Information Systems and Organizations. NIST is taking comments on the draft through September 12, 2017.[Editor Comments]
[Pescatore] A first look shows mostly readability improvements, but I noticed NIST has removed any prioritization guidance, a big step backwards. The rationale seems to be that prioritization should be done when following the Risk Management Framework but the Critical Security Controls have proven the need for prioritization basic security hygiene across any realistic look at reducing real world risk. Heck, even the Payment Card Industry Data Security Standards have had prioritization guidance for years.
Read more in:
FCW: NIST retools security and privacy controls for IoT era
https://fcw.com/articles/2017/08/16/nist-retools-for-iot.aspx
Nextgov: NIST Releases Updated Cyber and Privacy Guidance Draft
http://www.nextgov.com/cybersecurity/2017/08/nist-releases-updated-cyber-and-privacy-guidance-draft/140265/?oref=ng-channelriver
NIST: Security and Privacy Controls for Information Systems and Organizations (PDF)
http://csrc.nist.gov/publications/drafts/800-53/sp800-53r5-draft.pdf
--Eight Chrome Extensions Hijacked (August 15 & 16, 2017)
Hackers have hijacked eight Chrome extensions over the past several months. In all eight cases, hackers used phishing attacks to trick developers into exposing their Chrome developer account credentials. The attackers used the access to push out malicious code to users. The affected extensions are Copyfish, Web Developer 0.4.9, Chrometana 1.1.3, Infinity New Tab 3.12.3, Web Paint 1.2.1, Social Fixer 21.1.1, TouchVPN, and Betternet VPN.[Editor Comments]
[Murray] These are "indicators of compromise." What was compromised was the development process of the authors of the extensions.
[Williams] Plugins are software and should be part of your threat model. More information here: https://www.renditioninfosec.com/2017/08/software-pluginsextensions-should-be-part-of-your-threat-model/
Read more in:
ZDNet: Google Chrome under attack: Have you used one of these hijacked extensions?
http://www.zdnet.com/article/google-chrome-under-attack-have-you-used-one-of-these-hijacked-extensions/
Bleeping Computer: Eight Chrome Extensions Hijacked to Deliver Malicious Code to 4.8 Million Users
https://www.bleepingcomputer.com/news/security/eight-chrome-extensions-hijacked-to-deliver-malicious-code-to-4-8-million-users/
Threatpost: Seven More Chrome Extensions Compromised
https://threatpost.com/seven-more-chrome-extensions-compromised/127458/
--Cyberespionage Group Targeting US Defense Companies (August 15 & 16, 2017)
A cyber espionage group known as the Lazarus group has been targeting computer systems at US defense contractors, according to Palo Alto Networks. The group, which reportedly has ties to North Korea, was also behind the 2014 attack on Sony Pictures.Read more in:
Bleeping Computer: North Korean Cyberspies Target US Defense Contractors Following Nuclear Threats
https://www.bleepingcomputer.com/news/security/north-korean-cyberspies-target-us-defense-contractors-following-nuclear-threats/
V3: North Korea's Lazarus hacking group targets US defence contractors
https://www.v3.co.uk/v3-uk/news/3015695/north-koreas-lazarus-hacking-group-targets-us-defence-contractors
--Malicious PowerPoint Delivered in Spear Phishing Campaign Infected Machines with RAT (August 15, 2017)
Attackers are exploiting a vulnerability in Microsoft Office to create malicious PowerPoints that place malware in targeted computers. Microsoft released a fix for the flaw in April. The PowerPoint attacks arrive through spear phishing campaigns aimed largely at employees of electronics manufacturing companies. The PowerPoints attempt to infect computers with a Remote Access Trojan (RAT) known as REMCOS.[Editor Comments]
[Neely] This is another attempt to exploit CVE-2017-0199 via a Phishing campaign. While Microsoft published a patch in April, some enterprises have yet to deploy the fix, particularly those in regulated environments where significant regression testing is required before making any changes. I have seen multiple studies that show an interval of 30-200+ days to deploy patches for known vulnerabilities, and this attack leverages this window. Mitigations include more rapid application of patches, quality user awareness training and deployment of modern threat detection and response capabilities.
Trend Micro write up: http://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-0199-new-malware-abuses-powerpoint-slide-show/
Read more in:
SC Magazine: Malicious PowerPoint Slide Show files exploit Microsoft bug to deliver REMCOS RAT
https://www.scmagazine.com/malicious-powerpoint-slide-show-files-exploit-microsoft-bug-to-deliver-remcos-rat/article/682003/
INTERNET STORM CENTER TECH CORNER
Malspam Pushing Trickbot Banking Trojan
https://isc.sans.edu/forums/diary/Malspam+pushing+Trickbot+banking+Trojan/22720/Banker Google Chrome Extension Targeting Brazil
https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/DJI "Go" App May Be Using JSPatch To Modify Applications After Install
https://www.rcgroups.com/forums/showpost.php?p=38096850&postcount=2713Smartlocks Bricked After Auto-Update
http://www.securitysales.com/news/smart-locks-lobotomized-failed-update/Analysis of a Paypal Phishing Kit
https://isc.sans.edu/forums/diary/Analysis+of+a+Paypal+phishing+kit/22726/ShadowPad Backdoor in NetSarang Equipment
https://securelist.com/shadowpad-in-corporate-networks/81432/Solving Captcha Audio Challenges
http://uncaptcha.cs.umd.edu/papers/uncaptcha_woot17.pdfMaldoc with auto-updated link
https://isc.sans.edu/forums/diary/Maldoc+with+autoupdated+link/22730/Rowhammer is Back: SSD Memory Affected
https://www.usenix.org/system/files/conference/woot17/woot17-paper-kurmus.pdfNathaniel Quist: Active Defense in a Labyrinth of Deception
https://www.sans.org/reading-room/whitepapers/ActiveDefense/active-defense-labyrinth-deception-37462***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
