Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #74

September 19, 2017

TOP OF THE NEWS


Equifax CIO and CSO Retiring; Company Knew About Struts Flaw
WSJ: Inside the Equifax Breach
Groundbreaker: Navy Leads in Adding Cyber Component to Accident Investigations

THE REST OF THE WEEK'S NEWS


Equifax Breach Compromised Some UK Data
NY Governor Wants Credit Reporting Agencies to Comply with Cyber Security Rules
CCleaner Utility Was Infected with Malware
Motel 6 to Prohibit Locations from Voluntarily Sharing Registry Information with ICE
Walter Copan, NIST Director Nominee, Ranks Cyber Top Priority
New Safari Anti-Tracking Feature Not Popular with Advertisers
Chrome to Label Resources Delivered via FTP "Not Secure"
Prison Sentence for Health Care System Intruder
EAC Voluntary Election Security Guidelines

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Sophos Inc. *******************************

Time to make life easier for IT! Ever feel you just dont have enough hours in the day to manage your IT security needs? Youre not alone 46% of organizations have a problematic shortage of IT security skills. Solve this problem with Sophos Central, a platform helping make life easier for IT teams while also enhancing your security. http://www.sans.org/info/198400

***************************************************************************

TRAINING UPDATE

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 | https://www.sans.org/event/pen-test-hackfest-2017

-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017

-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017

-- SANS Cyber Defense Initiative ® 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS OnDemand and vLive Training | Get an iPad Mini 4, a Galaxy Tab A, or Take $250 Off with Online Training Register by 9/27! The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

Equifax CIO and CSO Retiring; Company Knew About Struts Flaw (September 15, 16, & 17, 2017)

Two Equifax top-level executives, Chief Information Officer (CIO) David Webb and Chief Security Officer (CSO) Susan Mauldin, are said to be retiring in the wake of the massive data breach that compromised personal information of 143 million US citizens and approximately 400,000 UK citizens. In a new entry to its website containing information about the breach, Equifax has admitted to knowing about the Apache Struts flaw, saying that its "security organization was aware of this vulnerability at that time, and took efforts to identify and to patch any vulnerable systems in the company's IT infrastructure."
BR [Editor Comments]
[Pescatore] When you take a job with "Chief" in the title and cash the paychecks, responsibility, authority and risk come with the package. While many patches do involve business disruption, failing to patch a vulnerability that NIST gave a CVSS base score of 10 (Critical) and the SANS ISC said "Patch Now!" months in advance of the attack usually indicates a major failure of the IT organization and the IT Security organization. Many other organizations have put in place strategies to patch critical business applications without major business disruption - and by taking actions that were well within their scope of authority and responsibility.
[Murray] It is one thing to know that there is a vulnerability in a product. It is another to know where that product is in one's own applications and systems. That said, the failure to apply a patch should not result in the late detection of the ex-filtration of the "Crown Jewels," the stock in trade, of the enterprise. This was not simply an error but a gross management failure. While these two officers might have been responsible for the compromise of the data in the first place, the CEO, Smith, has been responsible for the failed remediation. He too needs to be held accountable.

Read more in:
The Register: Equifax's IT leaders 'retire' as company says it knew about the bug that brought it down
http://www.theregister.co.uk/2017/09/17/equifax_cio_and_cso_retire/
SC Magazine: Equifax CSO, CIO to retire post-breach
https://www.scmagazine.com/equifax-cso-cio-to-retire-post-breach/article/689209/
ZDNet: Equifax CIO, CSO step down
http://www.zdnet.com/article/equifax-cio-cso-step-down/
Reuters: Equifax two top technology executives leave company 'effective immediately'
http://www.reuters.com/article/us-equifax-cyber-moves/equifax-two-top-technology-executives-leave-company-effective-immediately-idUSKCN1BQ2WN
Equifax Security: Equifax Releases Details on Cybersecurity Incident, Announces Personnel Changes
https://www.equifaxsecurity2017.com/

WSJ: Inside the Equifax Breach (September 18, 2017)

This article offers an in-depth look at the time-line of the Equifax breach, including the company's actions prior to and following the discovery of the intrusion. (Ed: great article, but Wall Street Journal articles are behind a paywall.)

Read more in:

WSJ: 'We've Been Breached': Inside the Equifax Hack
https://www.wsj.com/articles/weve-been-breached-inside-the-equifax-hack-1505693318

Groundbreaker: Navy Leads in Adding Cyber Component to Accident Investigations (September 14 & 15, 2017)

Speaking at the Cyber Warfare in the Maritime Domain event at the Center for Strategic and International Studies (CSIS) last week, Vice Admiral Jan Tighe said that the two recent Navy vessel accidents do not appear to have been due to cyber attacks. However, because there has been speculation in the press that the accidents involved a cyber element, the Navy sent teams to look into the matter. The activity of these teams will help "determine how we move forward in making [cyber security] a normal part of these kinds of investigations." Tighe is deputy chief of naval operations for information warfare and director of naval intelligence.

[Editor Comments]
[Assante] The Navy, through leaders like former CNO Greenert, CNO Richardson, and Vice Admiral Tighe has demonstrated a deep understanding of the importance of cyber in the future of sea control. A colleague and Navy Officer I respect, suggested cyber can either be seen as the new Kraken or as an integral part of being in a complex and highly automated maritime environment. As the first Chief Security Officer at the North American Electric Reliability Corporation (NERC), I had to struggle through the difficult ask of beginning to augment the power system event analysis process with a cyber investigative capability. Traditional accident investigation procedures must be modified in material ways (evidence collection, analysis, etc.) to account for the cyber dimension beyond the failure of a system to function properly. The Navy is demonstrating both foresight and a great deal of courage by taking on this challenge in the face of the recent tragedies and string of incidents.
[Pescatore] I think it was Steve Bellovin who proposed years ago that major cyber incidents should be investigated and documented the same way the National Transportation Safety Board "Go Team" investigates plane/train/bus crashes. A step on the path to that is making sure cyber vectors are included in all accident investigations.

Read more in:
Nextgov: Future Navy Accident Investigations Will Look for Cyber Attacks
http://www.nextgov.com/defense/2017/09/future-navy-accident-investigations-will-look-cyber-attacks/141025/
CSIS: Cyber Warfare in the Maritime Domain
https://www.csis.org/events/cyber-warfare-maritime-domain
*************************** SPONSORED LINKS ********************************

1) In case you missed it: "Fighting Account Takeover - Change The Battle and Win" go to the archive: http://www.sans.org/info/198405

2) In case you missed it: "EDR + NGAV Working Together: SANS Review of Carbon Black Cb Defense" go to the archive: http://www.sans.org/info/198410

3) What does your organization consider to be threat intelligence, and how do you use it? Take the SANS CTI survey and enter to win a $400 Amazon gift card or free pass to the SANS CTI Summit: http://www.sans.org/info/198415

******************************************************************************

THE REST OF THE WEEK'S NEWS

Equifax Breach Compromised Some UK Data (September 15, 2017)

Equifax UK has acknowledged that 400,000 UK citizens' information was compromised in the breach. UK-dedicated systems were not affected, but a "process failure" exposed the UK data because it was stored on US systems between 2011 and 2016.

Read more in:
The Register: Equifax UK admits: 400,000 Brits caught up in mega-breach
http://www.theregister.co.uk/2017/09/15/equifax_uk_breach_statement/
ZDNet: Equifax: 400,000 UK consumers could be affected by data breach
http://www.zdnet.com/article/equifax-400000-uk-consumers-could-be-affected-by-data-breach/

NY Governor Wants Credit Reporting Agencies to Comply with Cyber Security Rules (September 18, 2017)

New York Governor Andrew Cuomo wants credit reporting agencies to comply with the same cyber security regulations that banks and insurance companies must abide by if they conduct business in New York. The companies would be required to register with the state. Organizations that do not comply could be prohibited from conducting business with financial companies in New York.

[Editor Comments]
[Murray] Requires a change in the law. Any such state legislation should consider remedying the unfair practices allowed by the Orwellian "Fair" Credit Reporting Act.

Read more in:
Reuters: New York governor says Equifax, other credit reporting companies must register with state
http://www.reuters.com/article/us-cyber-experian-new-yorkequifax/new-york-governor-says-equifax-other-credit-reporting-companies-must-register-with-state-idUSKCN1BT1NA
CNET: New York proposes stricter regs following Equifax hack
https://www.cnet.com/news/new-york-proposes-stricter-regs-following-equifax-hack/

CCleaner Utility Was Infected with Malware (September 18, 2017)

Researchers at Cisco's Talos have found that download servers used to distribute the CCleaner utility were also surreptitiously delivering malware along with the software. The legitimate, signed version of CCleaner, 5.33, included malware that gathered user information and sent it to a third party. Avast, which distributed CCleaner, estimated that the infected version of the utility had been downloaded by 2.27 million users. The infected version of CCleaner is no longer available for download.

[Editor Comments]
[Northcutt] Kudos to Cisco Talos; this could have been much worse. Many people think of CCleaner as a Windows tool, but it's also been an important cybersecurity tool for Mac users for a long time. Try not to let this event keep you from trying the tool:
https://www.howtogeek.com/172820/beginner-geek-what-does-ccleaner-do-and-should-you-use-it/
https://www.howtogeek.com/113382/how-to-use-ccleaner-like-a-pro-9-tips-tricks/
Read more in:
Cisco Talos: CCleanup: A Vast Number of Machines at Risk
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
Bleeping Computer: CCleaner Compromised to Distribute Malware for Almost a Month
https://www.bleepingcomputer.com/news/security/ccleaner-compromised-to-distribute-malware-for-almost-a-month/
Bleeping Computer: CCleaner Malware Incident - What You Need to Know and How to Remove
https://www.bleepingcomputer.com/how-to/security/ccleaner-malware-incident-what-you-need-to-know-and-how-to-remove/
ZDNet: Hackers hid malware in CCleaner PC tool for nearly a month
http://www.zdnet.com/article/hackers-hid-malware-in-ccleaner-pc-tool-for-nearly-a-month/
Wired: Software Has a Serious Supply-Chain Security Problem
https://www.wired.com/story/ccleaner-malware-supply-chain-software-security/
CyberScoop: Hackers put malware in popular PC utility CCleaner
https://www.cyberscoop.com/ccleaner-malware-avast-cisco-talos/?category_news=technology
SoftPedia: CCleaner Compromised to Gather and Transmit Information About Its Users
http://news.softpedia.com/news/ccleaner-compromised-to-gather-and-transmit-information-about-its-users-517750.shtml

Motel 6 to Prohibit Locations from Voluntarily Sharing Registry Information with ICE (September 18, 2017)

US chain Motel 6 is clarifying its privacy and data-sharing policy after an employee at a Motel 6 location in Arizona said they routinely sent registry information to officials at Immigration and Customs Enforcement without a warrant. While Motel 6's privacy policy notes that it does collect guest information and may be compelled to share that information with the government or law enforcement, there is no law that requires the hotels to provide that information voluntarily. According to a statement, Motel 6 "will be issuing a directive to every one of our more than 1,400 locations nationwide, making clear that they are prohibited from voluntarily providing daily guest lists to ICE."

Read more in:
SC Magazine: Motel 6 to revamp privacy, data sharing policies after Phoenix locations send guest info to ICE
https://www.scmagazine.com/motel-6-to-revamp-privacy-data-sharing-policies-after-phoenix-locations-send-guest-info-to-ice/article/689360/

Walter Copan, NIST Director Nominee, Ranks Cyber Top Priority (September 18, 2017)

Walter Copan has been nominated to become the next director for the US National Institute of Standards and Technology (NIST). Copan's top priority for NIST is the implementation of the Cyber Security Framework. He also wants to ensure that improvements to cyber security are available not just to government agencies and large corporations, but to small businesses as well. Copan says his "personal priority is finding better ways [of] engaging with industry and finding partnerships."

Read more in:
Science: Cybersecurity and technology transfer seen as top priorities for NIST director nominee
http://www.sciencemag.org/news/2017/09/cybersecurity-and-technology-transfer-seen-top-priorities-nist-director-nominee

New Safari Anti-Tracking Feature Not Popular with Advertisers (September 16, 2017)

Online advertisers are not happy with Apple's new anti-tracking feature for Safari in macOS High Sierra and iOS11. The newest versions of Apple's operating systems will incorporate Intelligent Tracking Prevention in the Safari browser. The feature limits the duration of cookies from 30 days for those set by sites a user visits, to immediate purging of cookies set by third-party advertising networks.

[Editor Comments]
[Murray] Will the other browser publishers follow suit or give in to the advertisers who pay them? My VPN (Logmein) synchronizes the clipboards on my iPad client with my Windows server. Thus, I am able to easily render URLs in the safety of my iPad where the features of the browser do not include the ability to make persistent changes to the underlying system.

Read more in:
Engadget: Advertisers are upset with Safari's new anti-tracking features
https://www.engadget.com/2017/09/16/advertisers-are-upset-with-safaris-new-anti-tracking-features/
Ars Technica: Ad industry "deeply concerned" about Safari's new ad-tracking restrictions
https://arstechnica.com/tech-policy/2017/09/ad-industry-deeply-concerned-about-safaris-new-ad-tracking-restrictions/
Apple WebKit: Intelligent Tracking Prevention
https://webkit.org/blog/7675/intelligent-tracking-prevention/

Chrome to Label Resources Delivered via FTP "Not Secure" (September 15, 2017)

Version 63 of Google's Chrome browser, scheduled for release in December, 2017, will label all resources delivered via file transfer protocol (FTP) as "not secure." The FTP network protocol dates back to 1971 and does not encrypt traffic.

[Editor Comments]
[Murray] FTP is "historically broken" and is often configured so as to expose the entire file system. SFTP has been available for more than fifteen years. For many enterprises, the only reason that ftp is there is that it still installs by default. For others, it is that some obscure application continues to use it. Hackers argue that its very presence implies authorization to use it for whatever it can see.

Read more in:
The Register: Chrome to label FTP sites insecure
x http://www.theregister.co.uk/2017/09/15/chrome_to_label_ftp_sites_insecure/
HelpNetSecurity: Chrome will tag FTP sites as "Not secure"
https://www.helpnetsecurity.com/2017/09/15/chrome-ftp-insecure/
Google Chromium: PSA: `ftp://` resources will be marked "Not Secure"
https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/HknIAQwMoWo/xYyezYV5AAAJ

Prison Sentence for Health Care System Intruder (September 13 & 15, 2017)

A federal court judge in Pittsburgh, Pennsylvania has sentenced Brandon Coughlin to 27 months in prison for breaking into a former employer's computer system, disabling administrative controls, and using a credit card belonging to the organization to make personal purchases. Coughlin had previously been employed as a systems administrator at a health care facility. He has also been ordered to pay nearly 65,000 USD in restitution.

[Editor Comments]
[Murray] Before granting privilege to an employee, management must know how that privilege will be withdrawn upon a less-than-amicable separation. That begins with token-based strong authentication to unique userIDs, and requires resisting the expansion of privilege (like Edward Snowden was able to do).

Read more in:
SC Magazine: Houston man sentenced to 27 months for hospital hack
https://www.scmagazine.com/houston-man-sentenced-to-27-months-for-hospital-hack/article/689175/
DoJ: Texas Man Sentenced to 27 Months In Prison for Damaging Health Care System's Computers
https://www.justice.gov/usao-wdpa/pr/texas-man-sentenced-27-months-prison-damaging-health-care-system-s-computers

EAC Voluntary Election Security Guidelines (September 12, 2017)

The US Elections Assistance Commission (EAC) has released draft guidelines for elections systems security and reliability. The voluntary guidelines do not include specifications. Instead, the they offer a list of 15 principles, including system integrity, data protection, physical security auditability, and access control.

[Editor Comments]
[Pescatore] The last 7 "Principles" are essential excerpts from the CIS Critical Security Controls, but in very "squishy" language. My guess is that most vendors producing insecure election systems could word a response that says "compliant" with each principle.
[Murray] To be effective, any such guidelines must focus on ensuring that all votes are properly counted and reported, i.e., where history tells us any fraud will be, rather than simply that they were properly recorded.
Read more in:
FCW: New guidelines for hack-proof elections get a key vote of approval
https://fcw.com/articles/2017/09/12/elections-guidelines-eac.aspx
EAC: Voluntary Voting System Guidelines 2.0 (PDF)
https://www.eac.gov/assets/1/6/VVSG-2.0-draft-principles-and-guidelines_8.18.17.pdf

INTERNET STORM CENTER TECH CORNER

Bashware: Bypassing Windows Security via Linux (WSL)

https://research.checkpoint.com/beware-bashware-new-method-malware-bypass-security-solutions/

JavaScript Rogue Crypto Currency Miner

https://www.welivesecurity.com/2017/09/14/cryptocurrency-web-mining-union-profit/

NodeJS Hash Table DoS

https://medium.com/@ahmadbamieh/nodejs-constant-hashtables-seeds-vulnerability-f03bf70e3593

HTTPS Interception

https://blog.cloudflare.com/understanding-the-prevalence-of-web-traffic-interception/

CCleaner Compromise

http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
http://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

Word INCLUDEPICTURE Feature Abuse

https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899/

security.txt file

https://www.ietf.org/id/draft-foudil-securitytxt-00.txt
https://www.ietf.org/rfc/rfc2142.txt


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create