SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #91
November 17, 2017The cyber skills pipeline problem may be starting to wind down as the UK's remarkable program for finding and nurturing talent spreads to the U.S. and to the rest of the developed world.
See the first story in Top of the News.
Alan
****************************************************************************
SANS NewsBites November 17, 2017 Vol. 19, Num. 091
****************************************************************************
TOP OF THE NEWS
White House Discloses Vulnerabilities Equity Process
REST OF THE WEEK'S NEWS
Amazon Key Service Camera Vulnerability
Oracle Patches Critical Flaws in Tuxedo
US-CERT Warns North Korea is Using Fallchill Remote Administration Tool
Colorado Adopts Risk Limiting Audits for Elections
Schneier: IoT Security Needs Government Regulation
Proposed Legislation Would Restore State Dept. Cyber Office
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk ***************************
Avoid the Legacy SIEM Death Trap and Keep Your Organization Alive With Splunk. The consequences of failing to understand the limitations and pitfalls of a legacy SIEM can be dire for an organization that suffers a breach. Join this webinar to have experienced Splunk security practitioners walk you through identifying what should be migrated and what should be replaced from your existing SIEM. We will also share how companies have successfully migrated from their legacy SIEM to Splunk. http://www.sans.org/info/199850
*****************************************************************************
TRAINING UPDATE
-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017
-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017
-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017
-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017
-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018
-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018
-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS OnDemand and vLive Training | Receive a 12.9" iPad Pro, Surface Pro 4 or take $400 Off your OnDemand or vLive course when you register by November 22nd. The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--British Government Launches $25+ Million CyberDiscovery Programme: The Nationwide Talent Identification and Cyber Career Launching Program
(November 15, 2017)
Every student in grades 10-13 in the United Kingdom now has access to CyberStart as part of the UK CyberDiscovery Programme launched this week. CyberStart demonstrated remarkable effectiveness in finding people who have both the aptitude and attitude required for success in cybersecurity and teaching them foundational knowledge. Under CyberDiscovery, the UK will support each talented student identified by CyberStart with free CyberEssentials training, followed by scholarships and internships (for those who excel in the training). According to Chris Ensor, head of the UK National Cyber Security Center, these programs will "find and support motivated, high performers from all backgrounds who want to make a positive impact on the world."
[Editor Comments]
[Paller] Seven US Governors, one community college and one high school Cyber Patriot team leader, are pilot testing the UK tools with remarkable results: See cyberstart.us for the seven governors' reports; look at the back covers of each of the seven reports where you will see, in their own words, how this program impacts young people.
CyberDiscovery Talent Identification:
https://www.gov.uk/government/news/new-online-challenge-will-test-teenagers-cyber-security-skills
https://www.joincyberdiscovery.com/
https://twitter.com/DCMS/status/930748716889276417
Scholarships: https://www.ncsc.gov.uk/articles/cyber-first-bursary-scheme
Internships: https://www.gchq-careers.co.uk/early-careers/cyberfirst.html
--
White House Discloses Vulnerabilities Equity Process
(November 15, 2017)
The White House has disclosed its Vulnerabilities Equity Policy and Process (VEP), the guidelines it follows when deciding whether to notify vendors of vulnerabilities in their products or to keep them secret for use in US intelligence operations. Legislators, private sector companies, and citizen advocates have been pushing for increased transparency regarding VEP.
[Editor Comments]
[Pescatore] The actual percentage of vulnerabilities found only by government agencies is very low. But, a study by Rand of a small database of such undisclosed vulnerabilities showed they often remained undiscovered for by public researchers for years. Transparency in this VEP process is needed to assure that the decision points have a default of "make the world safer, notify the vendor" requires demonstration of near term national safety intelligence value to override the default.
Read more in:
Nextgov: White House Discloses Rules on Weaponizing Software Vulnerabilities
Fifth Domain: White House calls for greater transparency in cyber Vulnerability Equities Process
The Register: The four problems with the US government's latest rulebook on security bug disclosures
http://www.theregister.co.uk/2017/11/15/us_governments_vulnerability_disclosure_policy/
CNET: How the US decides which security flaws to keep secret
https://www.cnet.com/news/white-house-trump-administration-hacking-security-flaws-vulnerabilities/
The Hill: House discloses secretive decision process for growing hacking toolkit
White House: Vulnerabilities Equities Policy and Process for the United States Government (PDF)
************************** SPONSORED LINKS ********************************
1) Join Lance Spitzner and Brian Honan for the 'GDPR: What to Train Your Workforce' Webcast: http://www.sans.org/info/199855
2) Intezer Analyze and SANS' Jake Williams demonstrate how finding code reuse of known malware enables you to improve and accelerate incident response plans.http://www.sans.org/info/199860
3) In case you missed it: "Breaking Down the Data: How Secure Are You and Your Supply Chain?" Register: http://www.sans.org/info/199865
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Amazon Key Service Camera Vulnerability
(November 16, 2017)
A vulnerability in the software for the cameras designed to be used with Amazon Key, the company's new service that allows deliveries to be made inside customers' homes when they are not there, could be exploited to allow unscrupulous individuals to enter customers' homes. The flaw can be exploited by sending deauthorization commands to the camera, which will not go dark, but will continue to display the last frame before it received the command. Amazon says it plans to push out a software update for the issue.
Read more in:
Wired: Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera
https://www.wired.com/story/amazon-key-flaw-let-deliverymen-disable-your-camera/
Ars Technica: Amazon Key flaw makes entering your home undetected a possibility
--
Oracle Patches Critical Flaws in Tuxedo
(November 16, 2017)
Oracle has pushed out fixes for critical vulnerabilities in its Tuxedo application server software. The updates address five flaws; two of which have been rated critical. One of the critical flaws is a Heartbleed-like memory leak issue that affects the Jolt protocol. The second critical flaw could be exploited to fully compromise PeopleSoft systems.
Read more in:
Ars Technica: Oracle rushes out 5 patches for huge vulnerabilities in PeopleSoft app server
The Register: Oracle scrambles to sew up horrid security holes in PeopleSoft's Tuxedo
http://www.theregister.co.uk/2017/11/16/oracle_peoplesoft_tuxedo_security_vulnerabilities/
ZDNet: Oracle pushes emergency patch for critical Tuxedo server vulnerabilities
Oracle: Oracle Security Alert Advisory - CVE-2017-10269
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10269-4021872.html
--
US-CERT Warns North Korea is Using Fallchill Remote Administration Tool
(November 15, 2017)
The US Department of Homeland Security (DHS) and the FBI have released a joint technical alert through US-CERT warning of a remote administration tool (RAT) known as Fallchill. The malware appears to be the work of the North Korean hacking group known as Hidden Cobra.
Read more in:
FCW: New threats from North Korean malware
https://fcw.com/articles/2017/11/15/dprk-malware-rockwell.aspx
The Register: Crouching cyber Hidden Cobra: US warns Nork hackers are at it again with new software nasty
http://www.theregister.co.uk/2017/11/15/hidden_cobra_north_korea_malware_fallchill/
US-CERT: HIDDEN COBRA - North Korean Remote Administration Tool: FALLCHILL
https://www.us-cert.gov/ncas/alerts/TA17-318A
--
Colorado Adopts Risk Limiting Audits for Elections
(November 7 & 15, 2017)
The US state of Colorado is implementing a risk-limiting audit process to help verify and increase confidence in election results. The system enables auditors to determine sample size of audits based on the vote count margin and other factors. New Mexico has already implemented a similar measure, and the Rhode Island legislature has just passed a law that calls for "develop[ing] a voter-verified audit system."
[Editor Comments]
[Henry] I'm very happy to see individual states identifying this issue as a legitimate threat. While I have a full recognition of and appreciation for states' rights, the risk to our electoral process is too substantial to have 50 different systems and levels of capability. There needs to be a coordinated effort at the federal level, which is respectful of the sovereignty of the states but ensures consistent and formidable security standards.
[Murray] Early audits will disclose that many of our systems are fundamentally unauditable, that either by accident or intent, they do not preserve enough information.
Read more in:
SC Magazine: Colorado implements Risk-Limiting Audit process to verify election results
CSM: Securing the vote: How 'paper' can protect US elections from foreign invaders
EAC: State of Colorado Risk-Limiting Audit - Final Report (PDF)
https://www.eac.gov/assets/1/28/Risk-Limiting%20Audit%20Report%20-%20Final%20.CO.pdf
--
Forever 21 Breach
(November 15, 2017)
Los Angeles-based clothing retailer Forever 21 has acknowledged that a data security breach led to the exposure of some customer payment card information. The incident affects certain point-of-sale payment systems on which encryption was not operational. The affected systems' data were compromised between March and October 2017.
Read more in:
SC Magazine: Forever 21 reports data breach, failed to turn on POS encryption
ZDNet: Forever 21 investigating possible data breach
http://www.zdnet.com/article/forever-21-reveals-potential-data-breach/
CNET: Forever 21 hack reveals payment card data
https://www.cnet.com/news/forever-21-hack-reveals-payment-card-data/
Cyberscoop: Forever 21 announces payment card data breach
https://www.cyberscoop.com/forever-21-data-breach/?category_news=technology
--
Schneier: IoT Security Needs Government Regulation
(November 15, 2017)
In a keynote speech at the Sec Tor security conference in Toronto, Bruce Schneier said that it's time for governments to regulate the security of the Internet of Things (IoT). Schneier says that the industry alone cannot adequately address IoT security issues and many companies that make IoT devices lack dedicated security teams.
[Editor Comments]
[Honan] This is already happening within Europe. ENISA is proposing a baseline security spec for IoT devices
https://www.theregister.co.uk/2017/05/23/enisa_proposes_internet_of_things_security_standards/
Read more in:
eWeek: Schneier: It's Time to Regulate IoT to Improve Cyber-Security
http://www.eweek.com/security/schneier-it-s-time-to-regulate-iot-to-improve-cyber-security
--
Proposed Legislation Would Restore State Dept. Cyber Office
(November 15, 2017)
The US House Foreign Affairs Committee has forwarded a bill that would restore a position of a top cyber diplomat at the State Department. The Cyber Diplomacy Act would establish an Office of Cyber Issues. The head of the office would have the standing of an ambassador. The bill also calls for "the United States to work internationally with allies and other partners to promote an open, interoperable, reliable, unfettered, and secure internet."
[Editor Comments]
[Henry] The NewsBites edition from earlier this week addressed the need for a "Geneva Convention" to address the cyber threat. I agree wholeheartedly with a much stronger diplomatic approach in this space, and I've worked extensively in international forums and with the State Department cyber team over the past decade. This type of position and representation of the United States in international forums is critical to building effective relationships and solving hard problems in the digital world. International cooperation should be a requirement, not a recommendation.
Read more in:
Fifth Domain: Bill establishing State Department cyber ambassador passes committee
Nextgov: Bill to Restore State Department Cyber Office Advances
House.gov: Cyber Diplomacy Act of 2017 (PDF)
http://docs.house.gov/meetings/FA/FA00/20171115/106637/BILLS-115-HR3776-R000487-Amdt-076.pdf
--
OnePlus Phones Have Backdoor
(November 14, 15, & 16 2017)
Nearly every model of OnePlus Android phones contains a preloaded diagnostic application that acts as a backdoor. While the EngineerMode app is not readily accessible through the user interface, it is not difficult to find. It could be exploited to gain root access to the device. OnePlus says it plans to release an update that will remove the Android Debug Bridge (ADB) root function from EngineerMode.
Read more in:
ZDNet: OnePlus: We'll fix flawed app that lets attackers root our phones
http://www.zdnet.com/article/oneplus-well-fix-flawed-app-that-lets-attackers-root-our-phones/
Wired: Hack Brief: OnePlus Phones Have an Unfortunate Backdoor Built In
https://www.wired.com/story/oneplus-phones-have-an-unfortunate-backdoor-built-in/
Bleeping Computer: OnePlus Phones Come Preinstalled With a Factory App That Can Root Devices
Motherboard: OnePlus Phones Were Shipped With a Hidden Backdoor
https://motherboard.vice.com/en_us/article/59y4vz/oneplus-backdoor-engineer-mode
CNET: OnePlus backdoor means hackers could take over your phone
https://www.cnet.com/news/oneplus-backdoor-means-hackers-could-take-over-your-phone/
--
Adobe Patch Tuesday
(November 14 & 15, 2017)
Adobe has released security updates for its Flash Player, Photoshop CC, Acrobat and Reader, and six other products. In all, Adobe patched 86 security issues, including five in Flash Player and 62 in Acrobat and Reader.
Read more in:
KrebsOnSecurity: Adobe, Microsoft Patch Critical Cracks
https://krebsonsecurity.com/2017/11/adobe-microsoft-patch-critical-cracks/
V3:
Microsoft Patch Tuesday
weighs in at 53 while Adobe rushes out 83 patches to fix scores of 'critical' security flawsBleeping Computer: Adobe Patches Security Bugs in Flash Player and Eight Other Products
ZDNet: Adobe patches 67 vulnerabilities in Flash, Reader
http://www.zdnet.com/article/adobe-patches-67-vulnerabilities-in-flash-reader/
--
Microsoft Patch Tuesday
(November 14, 2017)
Microsoft has released fixes for 53 vulnerabilities in a variety of products, including Windows, Office, Edge and Internet Explorer. Twenty of the flaws are rated critical. Four of the patched flaws were previously disclosed but do not appear to have been exploited. One of the known flaws is a remote code execution issue in the Microsoft Equation Editor executable in Office that has been around for 17 years.
Read more in:
KrebsOnSecurity: Adobe, Microsoft Patch Critical Cracks
https://krebsonsecurity.com/2017/11/adobe-microsoft-patch-critical-cracks/
V3:
Microsoft Patch Tuesday
weighs in at 53 while Adobe rushes out 83 patches to fix scores of 'critical' security flawsSC Magazine:
Microsoft Patch Tuesday
: 20 critical issues addressedhttps://www.scmagazine.com/microsoft-patch-tuesday-20-critical-issues-addressed/article/707396/
Threatpost: Microsoft Patches 17-Year-Old Office Bug
https://threatpost.com/microsoft-patches-17-year-old-office-bug/128904/
Bleeping Computer: Office Equation Editor Security Bug Runs Malicious Code Without User Interaction
Microsoft: Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
--
Firefox Quantum
(November 14, 2017)
Mozilla has released
Firefox Quantum
, otherwise known as Firefox 57. The newest version of the company's flagship browser is reportedly twice as fast as Firefox 52, which debuted in March 2017. Among the new aspects inFirefox Quantum
are a redesigned rendering engine, a new user interface, and a return to Google as its default search engine.[Editor Comments]
[Northcutt] Firefox has been my default browser since its initial release and I have not had any interoperability problems. A browser not tied to Google/Alphabet, Microsoft, or Apple appeals to my sense of privacy. The bad news: about 70% of the code was refactored, or at least touched, in the update. That makes security problems likely. Suggest you use it for general browsing and a different browser for banking or online commerce.
Read more in:
CNET: Firefox's big-bang update brings you speed and a new look
https://www.cnet.com/news/firefox-quantum-update-mozilla-brings-speed-and-a-new-look/
Computerworld: Mozilla seeks return to glory with release of
Firefox Quantum
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
Updateshttps://portal.msrc.microsoft.com/en-us/security-guidance/summary
Adobe Patches
https://helpx.adobe.com/security.html
Abusing Anti-Virus Quarantine Folders for Priv. Escalation
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/
Malicious Document Turns Off Word Macro Protections
https://isc.sans.edu/forums/diary/If+you+want+something+done+right+do+it+yourself/23042/
OnePlus Phones Found With Preinstalled Debug App
https://twitter.com/__Tux/status/754085708843786240
Blueborne Affects Amazon Echo and Google Home Devices (now patched) (PDF)
http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf
More Malicious Apps In Google's Play Store
A Domain Dashboard For Splunk
https://isc.sans.edu/forums/diary/Suspicious+Domains+Tracking+Dashboard/23046/
Oracle Critical PeopleSoft Patch
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-10269-4021872.html#AppendixFMW
GitHub Introducing Security Alerts for Dependencies
https://github.com/blog/2470-introducing-security-alerts-on-github
Exposing IP Addresses For Hidden Services
http://sh1ttykids.hateblo.jp/entry/2017/11/16/182001
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
