SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #86
October 31, 2017FLASH: The Oracle patch needs to be installed now.
****************************************************************************
SANS NewsBites October 31, 2017 Vol. 19, Num. 086
****************************************************************************
TOP OF THE NEWS
Oracle Releases Emergency Fixes for Critical Flaw in Identity Manager
Draft Voting Systems Integrity Guidelines
McAfee Won't Allow Foreign Governments to Review Source Code
REST OF THE WEEK'S NEWS
London Heathrow Airport Security Data on Found USB Stick
DHS Not Sharing Cyber Threat Info Quickly Enough
Google Will Deprecate Public Key Pinning Support in Chrome
Equifax Was Notified of Vulnerability Months Before Breach
Cyber Shield Act Would Establish Voluntary IoT Certification Program
SEC Had Been Warned About Lack of Encryption for Years
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By ********************************
Join the SANS Institute in Boston at the SOC Briefing for the Cybersecurity Community where vendors will present sessions demonstrating their tools and capabilities to support threat hunting, or incorporate the results of threat hunting. This half- day event is free to the Cybersecurity Community. Networking lunch following. Not in Boston? Attend via simulcast. More info at: http://www.sans.org/info/199215
*****************************************************************************
TRAINING UPDATE
-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017
-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 | https://www.sans.org/event/pen-test-hackfest-2017
-- SANS Sydney 2017 | November 13-25 | https://www.sans.org/event/sydney-2017
-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017
-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017
-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017
-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018
-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS OnDemand and vLive Training | Get a New 12.9" iPad Pro with Smart Keyboard, or an HP ProBook 450 G4, or take $500 Off OnDemand or vLive Training when you register by November 8! The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
Oracle Releases Emergency Fixes for Critical Flaw in Identity Manager
(October 30, 2017)
Oracle has released an emergency security update to fix a critical vulnerability in the Oracle Identity Manager component of Oracle Fusion Middleware. The flaw could be exploited to take control of vulnerable systems. It was not fixed in Oracle's recent quarterly critical patch update.
[Editor Comments]
[Ullrich] This patch secures a default account that could be used to log in with administrator level privileges. It will be trivial to exploit once these credentials are released. Identity Manager is an important piece of software controlling access to enterprise software and a compromise of it is pretty much a worst-case scenario. Patch now!
Read more in:
The Register: 10/10 would patch again: Big Red plasters 'easily exploitable' backdoor in Oracle Identity Manager
Oracle: Oracle Security Alert Advisory - CVE-2017-10151
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html
--
Draft Voting Systems Integrity Guidelines
(October 27, 2017)
The US Election Assistance Commission (EAC) along with the National Institute of Standards and technology (NIST) has published draft Voluntary Voting Systems Guidelines 2.0, which offers 15 principles for safeguarding the integrity of elections. While the guidelines are voluntary, it is worth noting that 47 of the 50 US states are abiding by at least some portions of version 1.0 of the document. The new version addresses elements of the voting process, such as voter registration, that are not addressed in 1.0.
Read more in:
GCN: Draft guidelines tackle voting security
https://gcn.com/articles/2017/10/27/election-guidelines.aspx?admgarea=TC_SecCybersSec
EAC: Voluntary Voting System Guidelines 2.0 (PDF)
https://www.eac.gov/assets/1/6/TGDC_Recommended_VVSG2.0_P_Gs.pdf
--
McAfee Won't Allow Foreign Governments to Review Source Code
(October 26 & 27, 2017)
McAfee says it will stop allowing foreign governments to review its source code. A report earlier this year said that several tech companies had allowed the Russian government to peer into their source code; McAfee was listed among these companies at the time of that report. Symantec stopped allowing source code review by governments in early 2016.
[Editor Comments]
[Pescatore] Odd to see US security vendors refusing to allow their source code to be inspected, while Chinese and Russian security vendors allow it. Most Gartner Magic Quadrants show growing numbers of Asian and European vendors growing faster in markets than many of the older, more established US vendors. Evidence of external testing of software should be a standard procurement requirement, especially for security software.
Read more in:
Reuters: McAfee says it no longer will permit government source code reviews
SC Magazine: McAfee won't allow government code reviews as Kaspersky offers more transparency
V3: McAfee puts an end to government source code reviews because governments just can't be trusted
Nextgov: McAfee Stops Lettings Foreign Governments See Its Source Code
*************************** SPONSORED LINKS *******************************
1) Looking to improve your security awareness programme? Sign-up to the European Security Awareness Summit & learn from like-minded Security Awareness Officers: http://www.sans.org/info/199220
2) Don't Miss "Spamhaus DNS Firewall ( DNS RPZ ) - DNS as a 'Critical Choke Point' to Block Resolution of Known Malicious Sites" Register: http://www.sans.org/info/199225
3) Join Proofpoint for a webinar covering best practices on securing Office 365. Register: http://www.sans.org/info/199230
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
London Heathrow Airport Security Data on Found USB Stick
(October 30, 2017)
A USB stick found on a London (UK) street contains security information about Heathrow Airport. The data on the device include information about security measures and travel details for Queen Elizabeth II, as well as maps of tunnels and cameras and anti-terrorism measures patrol schedules. The data were not encrypted and were not protected with a password. Heathrow Airport has launched an investigation.
[Editor Comments]
[Pescatore] This incident is like a microcosm of the encryption debate. If we knew the sensitive data on the USB drive came from the good guys, I'd write about how laptops and removable storage should always be routinely encrypted. If investigations into the unencrypted USB device lead to information about a terrorist plot, the counter argument would be that encryption thwarts terrorist and criminal investigations. But think about this: in October 2016, the UK government reported that at least 1,000 government laptops, computers and USB flash drives had been reported lost or stolen since May 2015. Ubiquitous, persistent content encryption protects citizens and businesses against cyber attacks exponentially more than it enables criminals and terrorists to evade detection.
[Northcutt] A Google search for "USB drives encrypted volumes" yields 3.35M hits for Windows and Linux. Need we say more?
[Murray] We should be storing enterprise data only on servers, in document management systems and other databases, resisting arbitrary copies, and holding users accountable for them.
Read more in:
CNET: USB stick detailing airport security found in London street
https://www.cnet.com/news/usb-stick-detailing-heathrow-airport-security-found-in-london-street/
Ars Technica: Man finds USB stick with Heathrow security plans, Queen's travel details
--
DHS Not Sharing Cyber Threat Info Quickly Enough
(October 30, 2017)
According to report from the Government Accountability Office (GAO), half of critical infrastructure industry representatives responding to a GAO interview said that the US Department of Homeland Security (DHS) does not share cyber and physical threat information quickly enough.
[Editor Comments]
[Assante] There are times where DHS needs to be prepared to augment their responsible risk communicator role with timely first-heard reporting. DHS should explore establishing a 'tipper' program to rapidly share not-fully-evaluated threat information. The program will work only if the readership understands that information may be incorrect and modified through quick updates.
Read more in:
Nextgov: DHS is Too Slow to Share Cyber Threat Info, Companies Say
GAO: Critical Infrastructure Protection: DHS Risk Assessments Inform Owner and Operator Protection Efforts and Departmental Strategic Planning
http://www.gao.gov/products/GAO-18-62
--
Google Bug Database Flaws
(October 30, 2017)
A security "researcher" exploited flaws in Google's internal bug reporting system to access some of the company's most critical unpatched vulnerabilities. Known as the Issue Tracker or Buganizer, the system lets researchers and bug hunters submit flaws and other issues found in Google products and services.
[Editor Comments]
[Pescatore] My hope is that Google applies the lessons learned from fixing this vulnerability to improving detection of similar flaws in apps submitted to the Google Play app store.
Read more in:
Medium: Messing with the Google Buganizer System for $15,600 in Bounties
ZDNet: A flaw in Google's bug database exposed private security vulnerability reports
Motherboard: Bug in Google's Bug Tracker Lets Researcher Access List of Company's Vulnerabilities
--
Google Will Deprecate Public Key Pinning Support in Chrome
(October 28 & 30, 2017)
Google says it plans to deprecate support for HTTP public key pinning (HPKP) in its Chrome browser, with the goal of removing it from the Chrome completely. Google will likely deprecate support starting with Chrome 67, which is expected to be released to the stable channel by the end of May, 2018. HPKP was designed to prevent attacks that use SSL certificate impersonation, but it has created problems when it is not deployed correctly.
[Editor Comments]
[Ullrich] Sad to see public key pinning go, but the writing was on the wall. Hardly any website supports it, and a self-inflicted denial of service was too likely to make it worth the effort for most. I hope certificate transparency and CAA records will sufficiently solve the problem of rogue certificates being issued.
Read more in:
Threatpost: Google to Ditch Public Key Pinning in Chrome
https://threatpost.com/google-to-ditch-public-key-pinning-in-chrome/128679/
Bleeping Computer: Google to Remove Public Key Pinning (PKP) Support in Chrome
Google Groups: Intent To Deprecate And Remove: Public Key Pinning
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ
The Register: RIP HPKP: Google abandons public key pinning
http://www.theregister.co.uk/2017/10/30/google_hpkp/
--
Apache OpenOffice Update
(October 28 & 30, 2017)
The Apache Software Foundation has updated the Apache OpenOffice suite to fix four security issues in the word processing and graphics apps. The flaws have all been given a severity rating of medium. Three of the flaws are out of bound vulnerabilities that could be exploited to allow arbitrary code execution. The fourth flaw lies in the way OpenOffice renders embedded objects and could be exploited to steal information. Users should upgrade to Apache OpenOffice 4.1.4.
Read more in:
Threatpost:
Apache OpenOffice Update
Patches Four Vulnerabilitieshttps://threatpost.com/apache-openoffice-update-patches-four-vulnerabilities/128669/
SC Magazine: Apache OpenOffice patches four vulnerabilities in 4.1.4 update
OpenOffice: Apache OpenOffice 4.1.4 released
https://www.openoffice.org/security/bulletin.html
--
Equifax Was Notified of Vulnerability Months Before Breach
(October 28 & 29, 2017)
Months before the massive breach that compromised personal information of at least 145 million people, Equifax had been warned that its systems were vulnerable to the type of attack that the hackers ultimately used. Six months after being notified of the vulnerability, Equifax fixed it, but the breach had already occurred.
[Editor Comments]
[Northcutt] The US Senate just passed legislation overturning a consumer protection rule, 5 years in the making, relating to financial companies' gross misuse of their responsibilities. By taking away the possibility of a class action lawsuit, Equifax, Wells Fargo, etc. have very little risk, hence little incentive, to protect customer information:
http://fortune.com/2017/10/25/senate-vote-bank-class-action-lawsuit-arbitration/
http://time.com/4996322/senate-repeal-consumer-financial-protection-class-action-banks/
https://www.ft.com/content/1395ce62-6740-3c3a-9dad-b454b4242d18
Read more in:
Motherboard: Equifax Was Warned
Wired: Security News This Week: Equifax Was Warned of Vulnerability Months Before Breach
https://www.wired.com/story/equifax-warned-of-vulnerability-months-before-breach/
--
Google Patches Chrome Flaw
(October 27, 2017)
Google has fixed a stack-based buffer overflow vulnerability in its Chrome browser that could be exploited to execute arbitrary code. The Chrome stable channel has been updated to 62.0.3203.75 for Windows, Mac, and Linux.
[Editor Comments]
[Pescatore] Other than Microsoft, the browser world has largely moved to continuous patching. There have been very few, if any, reports of business disruption due to this, and IT doesn't really have to track what version of browser their users are running. This is a good example of why embedding apps like browsers into operating systems is not a good idea.
Read more in:
Threatpost: Google Patches 'High Severity' Browser Bug
https://threatpost.com/google-patches-high-severity-browser-bug/128661/
Google Blog: Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop_26.html
--
Cyber Shield Act Would Establish Voluntary IoT Certification Program
(October 27, 2017)
US Representative Ted Lieu (D-California) and Senator Ed Markey (D-Massachusetts) have introduced the Cyber Shield Act, which would give the Department of Commerce the authority to develop a rating and certification system for Internet of Things (IoT) devices. Commerce would also be called upon to establish an advisory committee that includes industry representatives, cyber security experts, and federal employees. Earlier this year, sponsors of another IoT security bill rejected warning tags as "convey[ing] a false sense of security."
[Editor Comments]
Read more in:
Cyberscoop: Two lawmakers want to give consumers a way to know if their IoT devices are secure
https://www.cyberscoop.com/cyber-shield-ted-lieu-ed-markey-internet-of-things/
FCW: Will warning labels shield users against insecure IoT?
https://fcw.com/articles/2017/10/27/warning-labels-lieu-markey-iot.aspx
The Hill: Dems push for program to secure internet-connected devices
--
SEC Had Been Warned About Lack of Encryption for Years
(October 24, 2017)
The US Securities and Exchange Commission (SEC) had been warned for years that its lack of encryption put its data at risk, according to a report in the Washington Post. The latest warning came in a July 2017 report from the Government Accountability Office (GAO), just one month before the 2016 breach was disclosed. GAO has been warning the SEC about the problem since 2008.
Read more in:
WashPost: SEC ignored years of warnings about cybersecurity before massive breach
INTERNET STORM CENTER TECH CORNER
Critical New Oracle Patch
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10151-4016513.html
CatchAll Google Chrome Plugins
Crypto Coin Mining Feature Found in Google App Store Downloads
Google Chrome Moving Away from HTTPS Public Key Pinning (HPKP)
https://groups.google.com/a/chromium.org/forum/#!msg/blink-dev/he9tr7p3rZ8/eNMwKPmUBAAJ
Effort To Remove Trust From Dutch CA Over New Intercept Law
https://bugzilla.mozilla.org/show_bug.cgi?id=1408647
ACE Files Used For Malware
https://isc.sans.edu/forums/diary/Remember+ACE+files/22978/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create