SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #87
November 3, 2017****************************************************************************
SANS NewsBites November 3, 2017 Vol. 19, Num. 087
****************************************************************************
TOP OF THE NEWS
Ukraine Authorities Say BadRabbit Had Stealthy Counterpart
Apple OS Updates Address KRACK Flaws
REST OF THE WEEK'S NEWS
US Justice Dept. Has Identified Russian Government Members Involved with DNC Hack
Hilton to Pay 0,000 Penalty for Breaches
Malaysian Telecom Servers Breached, Account Data Stolen
Securing America's Voting Equipment Act Introduced in US Senate
Bill Will Not Call for NIST to Audit Federal Agencies' Cyber Security
Mozilla to Make Canvas Fingerprinting Opt-in in Firefox 58
PESCATORE FIRST LOOK: Facebook Sacrifices Growth for Security
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk ***************************
Looking to improve your security posture? You are already using firewall data but what about endpoint, user activity and threat feeds? Join this webinar to learn how end-to-end security visibility is a critical first step to improving your security posture. You will also see how to get deeper insights with dashboards combining data from existing technology investments with Palo Alto Networks. http://www.sans.org/info/199255
*****************************************************************************
TRAINING UPDATE
-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | http://www.sans.org/u/vNd
-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 | http://www.sans.org/u/waL
-- SANS Sydney 2017 | November 13-25 | http://www.sans.org/u/wEL
-- SANS San Francisco Winter 2017 | November 27-December 2 | http://www.sans.org/u/wgE
-- SANS London November 2017 | November 27-December 2 | http://www.sans.org/u/wgJ
-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | http://www.sans.org/u/wKk
-- SANS Security East 2018 | New Orleans, LA | January 8-13 | http://www.sans.org/u/xmN
-- SANS Amsterdam January 2018 | January 15-20 | http://www.sans.org/u/wUT
-- SANS Secure Japan 2018 | February 19-March 3 | http://www.sans.org/u/wUY
-- SANS OnDemand and vLive Training | Get a New 12.9" iPad Pro with Smart Keyboard, or an HP ProBook 450 G4, or take $500 Off OnDemand or vLive Training when you register by November 8! The SANS Training you want with the flexibility you need. http://www.sans.org/u/xmI
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - http://www.sans.org/u/WK
-- Evening training 2x per week for 6 weeks with vLive - http://www.sans.org/u/WZ
-- Anywhere, Anytime access for 4 months with OnDemand format - http://www.sans.org/u/rEw
-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X9
Contact mentor@sans.org
-- Looking for training in your own community?
Community - http://www.sans.org/u/Xo
Plus Austin, Munich, Frankfurt, Miami, and Bangalore all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN
*****************************************************************************
TOP OF THE NEWS
--
Update WordPress Now
(October 31 & November 1 & 2, 2017)
WordPress has updated its content management system to version 4.8.3 to fix a critical flaw that could be exploited with an SQL injection attack to take control of vulnerable websites. WordPress's first attempt to address with version 4.8.2 in September actually made the problem worse.
Read more in:
ZDNet: WordPress patches SQL injection bug in security release
http://www.zdnet.com/article/wordpress-patches-sql-injection-bug-in-emergency-release/
SC Magazine: WordPress issues patch to eliminate SQL injection vulnerability
The Register: If your websites use WordPress, put down that coffee and upgrade to 4.8.3. Thank us later
http://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/
Threatpost: Wordpress Delivers Second Patch for SQL Injection Bug
https://threatpost.com/wordpress-delivers-second-patch-for-sql-injection-bug/128723/
WordPress: WordPress 4.8.3 Security Release
https://wordpress.org/news/2017/10/wordpress-4-8-3-security-release/
--
Ukraine Authorities Say BadRabbit Had Stealthy Counterpart
(November 2, 2017)
Authorities in Ukraine say that during the BadRabbit ransomware attack last week, a phishing campaign attempted to gain access to organizations' financial and confidential information. Hybrid attacks, in which a broad attack garners attention while a stealthy, more focused attack targets more sensitive information, are not uncommon.
[Editor Comments]
[Northcutt] For years now these attacks have been making use of libraries so that variants are easy, BadRabbit has code also seen in ExPetr and GoldenEye. One of the best technical write-ups is the Kaspersky blog:
https://securelist.com/bad-rabbit-ransomware/82851/
Read more in:
Reuters: Exclusive: Ukraine hit by stealthier phishing attacks during BadRabbit strike
--
Apple OS Updates Address KRACK Flaws
(October 31 & November 1, 2017)
Apple has released updates for both iOS and macOS that address vulnerabilities that could be exploited through key re-installation attacks, or KRACK. The operating system updates - iOS 11.1 and macOS High Sierra 10.13.1, Security Update 2017-001 Sierra, and Security Update 2017-004 El Capitan - address other vulnerabilities as well. Apple has also released updates for other products, including Safari, iTunes, and iCloud.
[Editor Comments]
[Neely] While the fix for KRACK is important and fixes a significant vulnerability, the likelihood of exploit is low due to the need for the attacker to be in close proximity, and the device needs to be accessing a vulnerable access point. Use of VPNs and TLS thwart the effectiveness of the attack. iOS 11.1 is available for the iPhone 5S and later and the iPad Air and later, the Wi-Fi fix only applies to the iPhone 7 and later, and iPad Pro 9.7 and later.
Expect another update to iOS 11.1 in the near future after vulnerabilities were discovered in Trend Micro's Zero Day Initiative (ZDI) Pwn2Own competition November 1st. https://www.techrepublic.com/article/new-ios-11-1-wi-fi-hack-drops-malware-on-your-iphone-to-steal-sensitive-data/ Apple has 90 days to respond before the ZDI group will release an advisory with mitigation steps.
Read more in:
Threatpost: Apple Patches Krack Vulnerability in iOS 11.1
https://threatpost.com/apple-patches-krack-vulnerability-in-ios-11-1/128707/
Bleeping Computer: iOS 11.1 Released with New Emojis and Fixes for the KRACK Vulnerabilities
eWeek: Apple Patches KRACK WiFi Vulnerability in iOS and macOS
http://www.eweek.com/security/apple-patches-krack-wifi-vulnerability-in-ios-and-macos
Computerworld: Apple putties Krack in macOS, iOS
https://www.computerworld.com/article/3235727/mac-os-x/apple-putties-krack-in-macos-ios.html
*************************** SPONSORED LINKS *********************************
1) Attend the 2nd Annual SANS Automotive Cybersecurity Summit, May 7-8, Chicago, IL. Register: http://www.sans.org/info/199260
2) Don't Miss: "What Works in Third Party Risk Assessment: Using BitSight for Consistent and Continuous Risk Rating" Register: http://www.sans.org/info/199265
3) Early bird registration for CyberThreat18 is available for those that successfully complete 6 testing challenges: http://www.sans.org/info/199270
*******************************************************************************
THE REST OF THE WEEK'S NEWS
--
US Justice Dept. Has Identified Russian Government Members Involved with DNC Hack
(November 2, 2017)
The US Department of Justice (DoJ) says it has identified at least six people it says are suspected of being involved in breaking into the Democratic National Committee's (DNC's) computers and stealing information that was posted on WikiLeaks. DoJ may bring charges next year. (Please note that the Wall Street Journal story is behind a paywall.)
Read more in:
SC Magazine: Justice Dept. has enough evidence to charge Russian officials with DNC hack, report
The Register: US says it's identified six Ruski officials as DNC hack suspects
http://www.theregister.co.uk/2017/11/02/dnc_hack_probe_update/
WSJ: U.S. Prosecutors Consider Charging Russian Officials in DNC Hacking Case
https://www.wsj.com/articles/prosecutors-consider-bringing-charges-in-dnc-hacking-case-1509618203
--Hilton to Pay $700,000 Penalty for Breaches
(October 31 & November 1, 2017)
Hilton Hotels will pay $700,000 USD for failing to "provide consumers with timely notice and... not maintain[ing] reasonable data security." The company also failed to comply with several Payment Card Industry Data Security Standard (PCI DSS) requirements. The penalty is to resolve claims regarding two separate security incidents - one in late 2014 and another the following spring and summer. The breaches exposed details of more than 360,000 payment cards. The settlement will be shared by the states of Vermont and New York.
[Editor Comments]
[Pescatore] I never saw an official financial statement from the Hilton hotel group on the cost of the breach, but that size breach would typically incur hard costs in the $3 - 4M range. As in this incident, the penalties and settlement costs are usually less than 1/3 of the total cost - but they get headlines and management attention. Security teams should use these headlines to show how PoS malware could be prevented or mitigated for much less than the cost of incurring just one event.
Read more in:
ZDNet: Hilton agrees to $700,000 settlement over data breaches
http://www.zdnet.com/article/hilton-agrees-to-700000-settlement-over-two-data-breaches/
Engadget: Hilton data breaches lead to $700,000 penalty
https://www.engadget.com/2017/10/31/hilton-data-breaches-700-000-penalty/
Reuters: Hilton to pay $700,000 over credit card data breaches
--
Malaysian Telecom Servers Breached, Account Data Stolen
(October 31 & November 1, 2017)
Data thieves stole customer information from servers at a dozen telecommunications firms in Malaysia. The breaches affect an estimated 46.2 million mobile phone accounts; Malaysia's population is 31.2 million. The thieves have attempted to sell the data on Internet forums.
Read more in:
Reuters: Malaysia investigating reported leak of 46 million mobile users' data
The Register: Virtually everyone in Malaysia pwned in telco, govt data hack spree
http://www.theregister.co.uk/2017/11/01/malaysia_telco_government_hack/
--
Securing America's Voting Equipment Act Introduced in US Senate
(October 31, 2017)
Two US legislators have introduced a bill aimed at protecting elections from being manipulated by hackers and foreign agents. The Securing America's Voting Equipment (SAVE) Act would designate elections systems as national critical infrastructure, require the US Comptroller General to assess voting machine integrity, and establish a "Hack the Election" competition to uncover flaws in the systems. The SAVE Act would also require the Department of Homeland Security (DHS) to run security clearances for top state election officials so they can receive classified threat information.
Read more in:
The Register: A draft US law to secure election computers that isn't braindead. Well, I'm stunned! I gotta lie down
http://www.theregister.co.uk/2017/10/31/us_election_hacking_law/
Nextgov: Bill Calls on Public to Hack Election System
Regmedia: Securing America's Voting Equipment Act of 2017 or the SAVE Act (PDF)
https://regmedia.co.uk/2017/10/31/saveact.pdf
--
Bill Will Not Call for NIST to Audit Federal Agencies' Cyber Security
(October 31, 2017)
The US House Science Committee has revised proposed legislation that would have put the National Institute of Standards and Technology (NIST) in the role of auditor for federal agencies' cyber security efforts. The revised bill calls for NIST to assist Inspectors general (IGs) but not to conduct the audits themselves. The change was made in response to stakeholder comments, which expressed concern that the added responsibilities would harm NIST's neutral advisory stance and diminish its ability to fulfil its other responsibilities.
Read more in:
Nextgov: Lawmakers Back Down From Pushing NIST Into Cyber Auditing Role
House Science Committee: NIST Cybersecurity Framework, Assessment, and Auditing Act, Proposed modification (PDF)
https://science.house.gov/sites/republicans.science.house.gov/files/documents/H1224_sus2_FINAL.pdf
--
Mozilla to Make Canvas Fingerprinting Opt-in in Firefox 58
(October 30 & 31, 2017)
When Mozilla releases Firefox 58 in early 2018, the browser will no longer turn the canvas fingerprinting feature on by default. All major browsers currently use canvas fingerprinting, which uses the HTML5 framework to let websites and web analytics services track users. Canvas fingerprinting is an alternative to cookies; users who wish to may opt in to the feature.
[Editor Comments]
[Pescatore] I'd like to see all browsers, and especially Google with the Chrome browser, take a similar user opt-in approach. The vast majority of Google's revenue is from advertising - by demonstrating they value users' abilities to balance privacy against free Internet services, Google could really raise the bar.
[Northcutt] A worthy feature. Tor browser has had it for as long as I can remember. Incidentally, they are running their fundraiser right now, I am donor 878, don't normally go for swag, but that is a kewl T-shirt. Help support a bit of privacy and freedom on the Internet: https://donate.torproject.org/pdr
Read more in:
Threatpost: Firefox Bolsters Privacy, Pulls Plug On Browser Canvas Fingerprinting
https://threatpost.com/firefox-bolsters-privacy-pulls-plug-on-browser-canvas-fingerprinting/128697/
HelpNetSecurity: Firefox will soon block canvas-based browser fingerprinting attempts
https://www.helpnetsecurity.com/2017/10/30/firefox-browser-fingerprinting/
--
Arrest in DDoS Case
(October 31, 2017)
Authorities in the UK have arrested an individual for allegedly conducting distributed denial-of-service (DDoS) attacks against online services including Skype and Google, and for allegedly operating a portal for selling malware. Alex Bessell was arrested in September and arraigned earlier this week.
[Editor Comments]
[Northcutt] There is something wrong here: you can't take down Google or Skype with a network of 9,000 computers. As the story unfolds, a key to look for is crypter, which helps malware be stealthy. He purportedly designed the money laundering/shady software portal AioBuy that he is charged with operating. If anyone has access to the Birmingham court arraignment documents, please send a link or scan to stephen@sans.edu
Read more in:
Bleeping Computer: UK Man Arrested for Selling Malware, DDoS Attacks on Google & Skype Servers
PESCATORE FIRST LOOK: Facebook Vows to Sacrifice Growth for Secure Operations -- WSJ
While I would be more impressed if Facebook CEO Zuckerberg had made security Job One *before* his company (and others) was called on the carpet by Congress for being used by Russia to influence the US presidential election, Facebook could use its unique position to drive higher levels of security. Here is a direct quote from Mr. Zuckerberg in the earning's call: "...But I want to be clear about what our priority is. Protecting our community is more important than maximizing our profits."
Much of what he discussed was good stuff around detecting malicious and fake content, etc. But, imagine if Facebook would set a concrete goal to double (or triple) the percentage of Facebook users who use strong authentication to login to Facebook. If Google and Twitter (the other two companies who testified before Congress) joined it, businesses would find that most of their users were using strong authentication at home and it would be easier to make the leap to moving beyond reusable passwords on corporate and government systems. Anything we do to eliminate reusable passwords lowers the probability of success of phishing - the biggest source of the most damaging breaches.
Back in 2002, Microsoft's CEO had a similar moment of enlightenment *after* Windows vulnerabilities caused billions in business damages and Microsoft learned that more secure software could actually increase profitability. Facebook could lead the way in a similar awakening around secure logins.
INTERNET STORM CENTER TECH CORNER
Malicious Powershell Code
https://isc.sans.edu/forums/diary/Some+Powershell+Malicious+Code/22988/
Apple Updates Everything
https://support.apple.com/en-gb/HT201222
Internet Draft To Update IoT Devices
https://tools.ietf.org/html/draft-moran-suit-architecture-00
Ethereum Miners Hijacked via Default SSH Credentials
https://labs.bitdefender.com/2017/11/ethereum-os-miners-targeted-by-ssh-based-hijacker/
Google Calendar Event Injection Added To Mail Sniper
https://www.blackhillsinfosec.com/google-calendar-event-injection-mailsniper/
November Ouch! Newsletter Released: Shopping Security Online
Employees Pay Up Ransomware
Crypto Shuffler Steals Bitcoin From Clipboard
https://www.kaspersky.com/blog/cryptoshuffler-bitcoin-stealer/19976/
Configuring SSH Properly on Cisco IOS
https://isc.sans.edu/forums/diary/Securing+SSH+Services+Go+Blue+Team/22992/
Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI (PDF)
http://www.umiacs.umd.edu/~tdumitra/papers/CCS-2017.pdf
Half of Most Popular Free iOS Apps Do Not Use TLS Correctly
Image Downloader Chrome Extension Includes Adware
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
