SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #80
October 10, 2017Help us recognize unsung heroes of cybersecurity - inside or outside your own organization - so others may learn from their successes and the lessons they learned. Previous winners ranged from middle and high school teachers of STEM programs, to the "Hack the Pentagon" team, to SOC analysts, community college lab managers, and military personnel. This year's crop already has cyber range innovators, automotive IOT leaders, to state CISOs illuminating vulnerabilities, and more. Send nominations of people or teams for the 2017 Security Difference Makers Awards to trends@sans.org. Deadline: October 20. Full details http://www.sans.org/cyber-innovation-awards
TOP OF THE NEWS
Equifax Exhibiting Poor Cyber Hygiene Before Breach, According to Third-Party Analysis
Missouri's Public Vulnerability Program
THE REST OF THE WEEK'S NEWS
FormBook Malware Steals Data
Disqus Breach
Secure Inter-Domain Routing Standards Aim to Help Secure Border Gateway Protocol
VPN Logs Help Identify Cyber Stalking Suspect
Forrester Discloses Breach
Updates for Windows 7, Windows 8 Not Keeping Pace with Windows 10 Updates
High Sierra Supplemental Update Fixes Password Exposure Flaws
FDIC OIG: Poor Breach Response
Facebook Report Omitted Russia from Election Interference Report in April
Managing iOS11 Wi-Fi and Bluetooth Settings
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk *******************************Splunk Webinar Featuring Forrester: Transform Your SecOps Using Analytics-Driven Security. Legacy SIEMs and security intelligence solutions continue to fail to keep pace with the rate and sophistication of modern day threats. Join this webinar featuring Forrester Research Senior Analyst Joseph Blankenship to learn how to address the continuous onslaught of attacks and threats they face, organizations need to transform their approach to security by leading with analytics. http://www.sans.org/info/198685
***************************************************************************TRAINING UPDATE
-- SANS Cyber Defense Initiative ® 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017
-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017
-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 | https://www.sans.org/event/pen-test-hackfest-2017
-- SANS Sydney 2017 | November 13-25 | https://www.sans.org/event/sydney-2017
-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017
-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017
-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017
-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS OnDemand and vLive Training | SANS Online Training - Get an iPad, a Samsung Galaxy Tab A or take $250 Off with OnDemand or vLive training through October 11. The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
TOP OF THE NEWS
--Equifax Exhibiting Poor Cyber Hygiene Before Breach, According to Third-Party Analysis
(September 26, 2017)
Equifax was exhibiting security weaknesses in the months prior to the massive data security breach according to four different companies that rate organizations' security status based on publicly available information. (Please note that this story is behind a paywall.)Read more in:
WSJ: Equifax Security Showed Signs of Trouble Months Before Hack
https://www.wsj.com/articles/equifax-security-showed-signs-of-trouble-months-before-hack-1506437947
--Missouri's Public Vulnerability Program
(October 6, 2017)
The Missouri Office of Cyber Security (OCS) is scanning systems at universities, government agencies, and private companies in the state to help them identify unpatched vulnerabilities. The Using Public Data to Alert Organizations of Vulnerabilities program scans for known flaws and notifies organizations when they are found. In May 2016, OCS scanned for Windows Server 2003 hosts and found 9,000 instances of the products, which had not been supported since July 2015.[Editor Comments]
[John Pescatore]
Censys, like Shodan, has been making this kind of data easily accessible since about 2015. Nice to see the State of Missouri taking initiative to use this data to work to make state systems more secure.
Read more in:
GCN: Finding flaws in the system
https://gcn.com/articles/2017/10/06/missouri-public-data-vulnerability-program.aspx?admgarea=TC_SecCybersSec
Missouri: Using Public Data to Alert Missouri Entities of Vulnerabilities
https://cybersecurity.mo.gov/blog/2017/06/using-public-data-to-alert-missouri-entities-of-vulnerabilities/
*************************** SPONSORED LINKS ********************************
1) Its Time for a new approach. Register for "Isolate the Critical: How to Deploy Microsegmentation for Operational Resiliency" http://www.sans.org/info/198690
2) Join Mike Assante, SANS Director of Critical Infrastructure & ICS/SCADA to explore why "basic" ICS/SCADA security won't cut it anymore. http://www.sans.org/info/198695
3) Share your latest techniques and tools for securing cloud-based assets at the SANS Cloud Security Summit. Our call for presentations is open thru 10/13: http://www.sans.org/info/198700
******************************************************************************THE REST OF THE WEEK'S NEWS
--FormBook Malware Steals Data
(October 9, 2017)
Malware known as FormBook is being used to infiltrate systems at US and South Korean aerospace industry, military contractor, and manufacturing firms. Once the malware has gained purchase in a system, it can be used to steal data. The malware is spreading in the US through malicious PDF, DOC, and XLS attachments. In South Korea, FormBook is spreading through email containing malicious archive files.Read more in:
Threatpost: FormBook Malware Targets US Defense Contractors, Aerospace and Manufacturing Sectors
https://threatpost.com/formbook-malware-targets-us-defense-contractors-aerospace-and-manufacturing-sectors/128334/
--Disqus Breach
(October 6 & 9, 2017)
Disqus, a company that develops comment systems for new sites, says that a data breach in 2012 exposed personally identifiable information of 17.7 million users. The compromised information dates back as long as 2007. Roughly one-third of the breached accounts included passwords that were SHA1 hashed with a salt.[Editor Comments]
[Williams] SHA1 password hashes are trivial to crack, so if you have/had a Disqus account, change your password. Actually, if you're using ANY password from 2012 that isn't a full passphrase, the time to change it has long since passed.
[Stephen Northcutt] If you have passwords dating back to 2007 - 2012, it is probably time to change it them.
Read more in:
Cyberscoop: Disqus confirms 2012 database breach impacting 17.5 million users
https://www.cyberscoop.com/disqus-breach-2012-troy-hunt/
Engadget: Disqus reveals it suffered a security breach in 2012
https://www.engadget.com/2017/10/06/disqus-reveals-it-suffered-a-security-breach-in-2012/
--Secure Inter-Domain Routing Standards Aim to Help Secure Border Gateway Protocol
(October 9, 2017)
The US National Institute of Standards and Technology's (NIST) National Cybersecurity Center of Excellence (NCCoE) and the Department of Homeland Security's (DHS) Science and Technology Directorate have worked together to develop a set of standards to help secure the Border Gateway Protocol (BGP), which is used to route Internet traffic between various providers and networks. Known as Secure Inter-Domain Routing (SIDR), the people working on the project have begun posting some of the developed standards to the Internet Engineering Task Force (IETF) portal.Read more in:
Bleeping Computer: New NIST and DHS Standards Get Ready to Tackle BGP Hijacks
https://www.bleepingcomputer.com/news/technology/new-nist-and-dhs-standards-get-ready-to-tackle-bgp-hijacks/
NCCoE: Secure Inter-Domain Routing
https://nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing
--VPN Logs Help Identify Cyber Stalking Suspect
(October 8 & 9, 2017)
Information obtained from VPN services helped law enforcement authorities identify a cyber stalking suspect. The logs linked one VPN IP address to simultaneous logins to multiple accounts associated with the suspect.[Editor Comments]
[John Pescatore]
I think PureVPN did the right thing here, both for privacy reasons and for business reasons. There are legitimate reasons why legal users want privacy services to do legal things and obey laws and societal norms. There are criminal reasons why criminals want to escape capture by law enforcement when they break laws and ignore societal norms. The PureVPN terms of service specifically prohibits criminal use of their service and their privacy policy clearly says they will cooperate with law enforcement and that they do have connection logs. That type of balance is good for legal users, bad for criminal users which is what businesses should be doing.
Read more in:
The Register: VPN logs helped unmask alleged 'net stalker, say feds
http://www.theregister.co.uk/2017/10/08/vpn_logs_helped_unmask_alleged_net_stalker_say_feds/
Bleeping Computer: Cyberstalking Suspect Arrested After VPN Providers Shared Logs With the FBI
https://www.bleepingcomputer.com/news/security/cyberstalking-suspect-arrested-after-vpn-providers-shared-logs-with-the-fbi/
Document Cloud: Criminal Complaint
http://www.documentcloud.org/documents/4082108-Lin-Affidavit.html
DoJ: Massachusetts Man Arrested and Charged with Cyberstalking Former Roommate
https://www.justice.gov/usao-ma/pr/massachusetts-man-arrested-and-charged-cyberstalking-former-roommate
--Forrester Discloses Breach
(October 7 & 9, 2017)
Forrester, a market research and investment advisory firm, said last week that its Forrester.com website hosting infrastructure had been breached. Armed with stolen user credentials, the attackers were able to download Forrester's proprietary research reports, which are available to paying Forrester clients.[Editor Comments]
[John Pescatore]
Not much detail on how the user credentials were obtained, but this is another example of how businesses don't even offer their clients higher security options, even though many consumer-grade services do. Businesses can and should offer stronger log-in methods I think they would be surprised how many of their customers would take them up on it. Instead, too many businesses hide behind the same flawed logic the Forrester CEO used: "We also understand there is a tradeoff between making it easy for our clients to access our research and security measures." The real tradeoff is between investing in giving customers high security options or not.
Read more in:
Bleeping Computer: Market Research Firm Forrester Says Hackers Stole Sensitive Reports
https://www.bleepingcomputer.com/news/security/market-research-firm-forrester-says-hackers-stole-sensitive-reports/
eWeek: Forrester Research Discloses Limited Website Data Breach
http://www.eweek.com/security/forrester-research-discloses-limited-website-data-breach
--Updates for Windows 7, Windows 8 Not Keeping Pace with Windows 10 Updates
(October 5 & 6, 2017)
While Microsoft is keeping Windows 10 up-to-date with security patches and other updates, it has not been as responsive to fixing those same vulnerabilities in Windows 7 and Windows 8. Microsoft is working on rolling out the fixes for the older operating systems, but once updates are available for Windows 10, attackers can use techniques like patch diffing to discover the unpatched flaws in other products.[Editor Comments]
[Neely] Make sure your network and host protections can limit/contain exploits on older systems.
[Williams] There are a number of security related reasons to move to Windows 10, this is simply the latest one. By patching in some OS versions and not others, Microsoft has created significant additional risk for organizations that have not yet moved to Windows 10. That said, unless Microsoft publicly admits that this was a mistake.
Read more in:
The Register: Microsoft silently fixes security holes in Windows 10 - dumps Win 7, 8 out in the cold
http://www.theregister.co.uk/2017/10/06/researchers_say_windows_10_patches_punch_holes_in_older_versions/
Google Project Zero: Using Binary Diffing to Discover Windows Kernel Memory Disclosure Bugs
https://googleprojectzero.blogspot.com/2017/10/using-binary-diffing-to-discover.html
--High Sierra Supplemental Update Fixes Password Exposure Flaws
(October 6, 2017)
On Thursday, October 5, Apple released a supplemental update to fix two vulnerabilities in the newly-released macOS High Sierra 10.13. One of the flaws could be exploited to steal passwords from the macOS keychain. The second flaw lies in the StorageKit library. If a user sets a password hint in Disk Utility wile creating an APFS-encrypted volume, the hint displays the actual password in plaintext.Read more in:
SC Magazine: Apple issues new security update for macOS High Sierra
https://www.scmagazine.com/apple-issues-new-security-update-for-macos-high-sierra/article/698537/
eWeek: Apple Updates macOS High Sierra With Patches for Two Critical Flaws
http://www.eweek.com/security/apple-updates-macos-high-sierra-with-patches-for-two-critical-flaws
Threatpost: Emergency Apple Patch Fixes High Sierra Password Hint Leak
https://threatpost.com/emergency-apple-patch-fixes-high-sierra-password-hint-leak/128314/
Apple: About the security content of macOS High Sierra 10.13 Supplemental Update
https://support.apple.com/en-us/HT208165
--FDIC OIG: Poor Breach Response
(October 6, 2017)
According to an audit report from the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG), the agency is not adhering to its established breach response protocols. FDIC systems sustained numerous breaches between January 2015 and December 2016. The OIG report evaluated 18 of those breaches. The FDIC has since established clear lines of responsibility for breach management and notification.[Editor Comments]
[Neely] Coupled with a clear understanding of expected response and recovery timelines, testing breach and disaster plans can go a long way to smooth response and recovery from an event. The first time you conduct a test is the most daunting, once done regularly the process is simpler and you can better judge your ability to respond to current incidents seen elsewhere.
[John Pescatore]
FDIC averaged 288 days between detecting a PII breach and notifying individuals. The government requirements are pretty loosey-goosey on this but no way 288 days meets anyone's definition of "... as expeditiously as practicable and without unreasonable delay." The report points to lack of trained staff to handle "... dramatic increase in breach investigation activities and notifications" which likely means the root cause of that dramatic increase was also lack of skilled staff to avoid breaches.
Read more in:
FCW: Audit chides FDIC for sloppy breach protocols
https://fcw.com/articles/2017/10/06/fdic-breach-oig-report.aspx
FDIC OIG: The FDIC's Processes for Responding to Breaches of Personally Identifiable Information
https://www.fdicoig.gov/sites/default/files/report-release/17-006AUD.pdf
--Facebook Report Omitted Russia from Election Interference Report in April
(October 5, 2017)
A Facebook report on fake news released in late April, contained no mention of Russia with regard to attempts to influence the 2016 US presidential election. Unnamed sources say that an earlier draft of the report did include references to Russia, but concerns from Facebook's legal and policy teams ultimately resulted in those references being cut. (Please note that the Wall Street Journal story is behind a paywall.)Read more in:
WSJ: Facebook Cut Russia Out of April Report on Election Influence
https://www.wsj.com/articles/facebook-cut-russia-out-of-april-report-on-election-influence-1507253503
CNET: Facebook reportedly cut Russia from election meddling report
https://www.cnet.com/news/facebook-reportedly-cut-russia-from-election-meddling-report/
Facebook's April Report: Information Operations and Facebook (PDF)
https://fbnewsroomus.files.wordpress.com/2017/04/facebook-and-information-operations-v1.pdf
--Managing iOS11 Wi-Fi and Bluetooth Settings
(October 4 & 6, 2017)
Apple's most recently-released mobile operating system, iOS11, makes it more difficult for users to truly turn off Wi-Fi and Bluetooth. In iOS11, when users switch off Wi-Fi and Bluetooth in the Control Panel, the device will be disconnected from networks and devices it is currently connected to, but the settings are not actually switched off. They are still active for AirDrop, Hotspot, Location services, Apple Watch and other Apple features and devices. Users can truly turn off the settings by asking Siri to turn them off, by switching to Airplane mode, or by switching them off in Settings.[Editor Comments]
[Neely] At first blush this is confusing to users. The purpose of the controls was changed from disabling the Wi-Fi/Bluetooth service to closing current connections, and pushes the "On/Off" control to the settings app. The ability to disconnect from a currently connected wireless network or Bluetooth device is a nice troubleshooting action. However, because the service is not off, another paired/recognized device in range will still connect automatically. iOS 11 includes help on using the new control center, including new behavior and customization options.
Read more in:
EFF: iOS 11's Misleading "Off-ish" Setting for Bluetooth and Wi-Fi is Bad for User Security
https://www.eff.org/deeplinks/2017/10/ios-11s-misleading-ish-setting-bluetooth-and-wi-fi-bad-user-security
Computerworld: iOS 11: 3 ways to really switch off Wi-Fi and Bluetooth
https://www.computerworld.com/article/3231644/apple-ios/ios-11-3-ways-to-really-switch-off-wi-fi-and-bluetooth.html
INTERNET STORM CENTER TECH CORNER
Payment Handler API
https://w3c.github.io/payment-handler/https://blog.lukaszolejnik.com/privacy-of-web-request-api/
