SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #94
December 1, 2017****************************************************************************
SANS NewsBites December 1, 2017 Vol. 19, Num. 094
****************************************************************************
TOP OF THE NEWS
AWS Bucket Misconfiguration Exposes Classified NSA Data
NATO Members Develop Cyber Warfare Rules
Federal Cybersecurity Dashboard Adoption
REST OF THE WEEK'S NEWS
Seleznev Sentenced for New Charges
Fixes Available for Cisco WebEx Flaws
Google to Start Process of Blocking Third-Party Software Code Injection in Chrome
Website Using "Pop-Unders" to Launch Hidden, Persistent Cryptocurrency Miners
UK Suit Alleges Google Circumvented Privacy Protections on Users' iPhones
Apple Releases Fix for macOS Root Vulnerability
Baratov Reaches Plea Deal in Yahoo Breach Case
PowerDNS Releases Patches for Authoritative Server and Recursor
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By AlgoSec **************************
AlgoSec, the leader in Security Policy Management recently examined the state of security across hybrid environments. The survey revealed that while many organizations are embracing public cloud platforms as part of their enterprise infrastructure, they also have serious concerns when managing security across hybrid environments, both during and after cloud migrations. Read More: http://www.sans.org/info/200270
*****************************************************************************
TRAINING UPDATE
-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017
-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018
-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018
-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018
-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018
-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018
-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Get a 10.5" iPad Pro with Smart Keyboard, or an ASUS Chromebook Flip, or take $400 Off OnDemand or vLive Training when you register by December 13. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
AWS Bucket Misconfiguration Exposes Classified NSA Data
(November 28 & 30, 2017)
Yet another misconfigured Amazon Web Services (AWS) bucket has been found to have been leaking classified and sensitive data. This bucket contains information that belongs to the US Army's Intelligence and Security Command, which is also a division of the National Security Agency (NSA). The 100 gigabytes of compromised data include details about an Army intelligence project known as Red Disk. The leak was detected in September.
[Editor Comments]
[Pescatore] Short term: all AWS accounts come with 90-day free use (up to 250 agents) of Amazon's Inspector vulnerability assessment tool. Longer term: all enterprise-grade vulnerability assessment products support being extended out to the major cloud services. The usual problem is that the enterprise *processes* haven't been extended.
[Williams] With yet another classified data leak there needs to be some accountability for this leak. Some of our adversaries almost certainly found this unsecured classified information. The data on the drive image, if studied by adversaries is extremely damaging. Some have criticized Whittaker for writing about this, but without his reporting the government would have buried the fact of the leak. While national security is obviously a concern in any such situation, reporting in this case has started a valuable conversation about the handling of classified data, particularly by intelligence community contractors.
[Paller] Amazon does not take responsibility for security of user data except in services they provide. That's particularly true of configuration. Without substantial (skilled) effort, often using tools AWS provides, users are about as safe on AWS as they are putting their most sensitive data on a computer they bought at Best Buy and connected to the Internet.
Read more in:
FCW: Security firm reveals another NSA leak
https://fcw.com/articles/2017/11/28/nsa-leak-upguard-johnson.aspx
Cyberscoop: Top secret Army, NSA data found on public internet due to misconfigured AWS server
Threatpost: Leaky AWS Storage Bucket Spills Military Secrets, Again
https://threatpost.com/leaky-aws-storage-bucket-spills-military-secrets-again/129021/
GovTech: Top-Secret Cache of Army Intelligence Data Left Exposed on Internet
ZDNet: NSA leak exposes Red Disk, the Army's failed intelligence system
http://www.zdnet.com/article/nsa-leak-inscom-exposes-red-disk-intelligence-system/
--
NATO Members Develop Cyber Warfare Rules
(November 30, 2017)
Seven NATO member countries - the US, the UK, Germany, Norway, Denmark, the Netherlands, and Spain - are developing a slate of cyber warfare principles to help NATO military forces decide when to deploy cyber weapons. The new doctrine could mark a NATO shift away from a purely defensive cybersecurity posture.
[Editor Comments]
[Pescatore] NATO countries have been using offensive cyber weapons for a long time now. The real issue is reaching a consensus on defining what conditions justify their use. For example, in the pre-Internet days broadcast propaganda stations were used by many countries to send "fake news" across borders to enemy countries, yet that wasn't considered warfare. Similarly, intelligence agencies collecting intelligence in nefarious ways wasn't dealt with as an act of war. Those same activities using the Internet don't necessarily add up to "cyber war," and many forms of active cyber response are very likely to cause unintended consequences.
Read more in:
Reuters: NATO mulls 'offensive defense' with cyber warfare rules
Silicon UK: NATO Plots Cyber Warfare Rules
--
Federal Cybersecurity Dashboard Adoption
(November 28, 2017)
A US Department of Homeland Security official says that the major government agencies are expected to be connected to the federal cybersecurity dashboard by the end of February 2018. The dashboard will allow DHS officials to keep tabs on which software is running on networks across the government. Just two agencies are currently connected. Once the 24 major agencies are connected, DHS will begin connecting smaller agencies. The federal cybersecurity dashboard is part of DHS's Continuous Diagnostics and Mitigation program.
[Editor Comments]
[Northcutt] Ignore the pundits who criticize saying they should measure this or that. The dashboard means certain metrics will be monitored and compared against peer agencies. When you are the only one with a failing score, there is no place to hide.
Read more in:
Nextgov: All Major Agencies Will Be on Federal Cybersecurity Dashboard by February
Read more in:
Nextgov: All Major Agencies Will Be on Federal Cybersecurity Dashboard by February
************************** SPONSORED LINKS ********************************
1) Join this webinar with Splunk to learn how to avoid the legacy SIEM death trap and keep your organization alive. http://www.sans.org/info/200275
2) Don't Miss: "Next-Generation Antivirus (NGAV) Buyer's Guide: Successful Strategies for Choosing and Implementing NGAV." Register: http://www.sans.org/info/200280
3) "2017 Trends and Strategies for Protecting Endpoints in Healthcare" Register: http://www.sans.org/info/200285
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Seleznev Sentenced for New Charges
(November 30 & December 1, 2017)
Roman Valeryevich Seleznev has been sentenced to 14 years in prison for racketeering and conspiracy to commit bank fraud. Seleznev, who masterminded an organized online crime ring, was sentenced to 27 years in prison in April for other fraud charges. He will serve his sentences concurrently.
Read more in:
The Register: Stop us if you've heard this one: Russian hacker thrown in US slammer for $59m bank fraud
http://www.theregister.co.uk/2017/12/01/roman_seleznev_track2_jailed/
DoJ: Russian Cyber-Criminal Sentenced to 14 Years in Prison for Role in Organized Cybercrime Ring Responsible for $50 Million in Online Identity Theft and $9 Million Bank Fraud Conspiracy
--
Fixes Available for Cisco WebEx Flaws
(November 30, 2017)
Cisco has released patches to address six vulnerabilities in Cisco WebEx Network Recording Player for Advanced Recording Format and WebEx Recording Format files. Users are encouraged to update the affected products; there are no workarounds available.
Read more in:
Cisco: Multiple Vulnerabilities in Cisco WebEx Recording Format and Advanced Recording Format Players
Threatpost: Cisco Patches Critical Playback Bugs in WebEx Players
https://threatpost.com/cisco-patches-critical-playback-bugs-in-webex-players/129057/
SC Magazine: Cisco patches multiple vulnerabilities in WebEx platforms
https://www.scmagazine.com/cisco-patches-critical-webex-platform-vulnerabilities/article/710747/
--
Google to Start Process of Blocking Third-Party Software Code Injection in Chrome
(November 30, 2017)
In spring 2018, Google will take the first step in the process of blocking third-party software from injecting code into the browser. Chrome 66, scheduled for release in April 2018, will notify users after a browser crash that third-party code is being injected and will offer suggestions for updating or removing the offending software. In Chrome 68, scheduled for release in July 2018, third-party code injection will be blocked unless the blocking prevents Chrome from starting. In Chrome 72, scheduled for release in January 2019, Chrome will always block third-party code injection.
Read more in:
Bleeping Computer: Google Will Block Third-Party Software From Injecting Code Into Chrome
The Register: Google Chrome vows to carpet bomb meddling Windows antivirus tools
http://www.theregister.co.uk/2017/11/30/google_chrome_antivirus_shutout/
--
Website Using "Pop-Unders" to Launch Hidden, Persistent Cryptocurrency Miners
(November 29 & 30, 2017)
At least one website has been detected using pop-unders, in this case windows that pop up behind the Windows taskbar, to harness computer resources to mine for cryptocurrency. The windows function even when the main browser window is closed. So far, the technique has been spotted on just one website and appears to work only on Chrome browsers.
[Editor Comments]
[Ullrich] As the value of crypto currencies increases, we are seeing more and more fraud related to them. For a quick summary of current attacks, see https://isc.sans.edu/forums/diary/9+Fast+and+Easy+Ways+To+Lose+Your+Crypto+Coins/23071/
Read more in:
Malwarebytes: Persistent drive-by cryptomining coming to a browser near you
Bleeping Computer: Cryptojacking Script Continues to Operate After Users Close Their Browser
SC Magazine: Cryptominer uses hidden browser windows to keep on mining
--
UK Suit Alleges Google Circumvented Privacy Protections on Users' iPhones
(November 29, 2017)
Google is being taken to court in the UK over allegations that it placed cookies on iPhone owners' devices even when the devices were set to block cookies. Google then allegedly used the cookies to deliver targeted advertisements.
Read more in:
BBC: Google faces mass legal action in UK over data snooping
http://www.bbc.com/news/technology-42166089
--
Apple Releases Fix for macOS Root Vulnerability
(November 28 & 29, 2017)
Apple has released an emergency security update for macOS to address a flaw that allowed anyone to log in as a system administrator on machines running the High Sierra version of macOS. The patch was scheduled to be automatically applied to machines running High Sierra 10.13.1 on Wednesday, November 29. Apple has said that it plans to audit its development processes to prevent a recurrence.
[Editor Comments]
[Ullrich] The patch will disable the root account again, which is a good thing, but if you need the root account enabled, then make sure to re-enable it after applying the patch. There may also be an issue when trying to connect to file shares after applying the fix. Apple has instructions on fixing any file share related issues. The problem here wasn't really so much that the disabled root account had no password, but a bug in some parts of the operating system that did not verify that the account was disabled.
Read more in:
Wired: Anyone Can Hack macOS High Sierra Just By Typing "Root"
https://www.wired.com/story/macos-high-sierra-hack-root/
The Register: As Apple fixes macOS root password hole, here's what went wrong
http://www.theregister.co.uk/2017/11/29/apple_macos_high_sierra_root_bug_patch/
ZDNet: Apple fixes macOS password flaw
http://www.zdnet.com/article/apple-fixes-macos-password-flaw/
Ars Technica: New security update fixes macOS root bug
https://arstechnica.com/gadgets/2017/11/new-security-update-fixes-macos-root-bug/
KrebsOnSecurity: MacOS High Sierra Users: Change Root Password Now
https://krebsonsecurity.com/2017/11/macos-high-sierra-users-change-root-password-now/
--
Baratov Reaches Plea Deal in Yahoo Breach Case
(November 28 & 29, 2017)
Karim Baratov has reached a plea deal with US prosecutors regarding his involvement in breaking into webmail accounts as part of a larger breach of Yahoo accounts. He was extradited to the US earlier this year. On Tuesday, November 28, Baratov pleaded guilty to one count of conspiracy to commit computer fraud and eight counts of aggravated identity theft.
Read more in:
The Register: Canadian! fella! admits! hacking! Gmail! inboxes! amid! Yahoo! megahack!
http://www.theregister.co.uk/2017/11/29/canadian_hacker_webmail_yahoo/
Ars Technica: Hacker pleads guilty to huge Yahoo hack, admits helping Russia's FSB
Cyberscoop: Guilty plea for Canadian charged in 2014 Yahoo hacking case
https://www.cyberscoop.com/karim-baratov-yahoo-hacking-fsb-guilty-plea/
Fifth Domain: 'Hacker-for-hire' pleads guilty to Yahoo breach
--
PowerDNS Releases Patches for Authoritative Server and Recursor
(November 28, 2017)
PowerDNS has released patches to address five vulnerabilities in its Authoritative Server and Recursor products. The issues include a missing check on API operations, insufficient validation of DNSSEC signatures, cross-site scripting in the web interface, configuration file injection in the API, and a memory leak in DNSSEC parsing.
Read more in:
PowerDNS: PowerDNS Authoritative Server 4.0.5 and Recursor 4.0.7 Released
HelpNet Security: PowerDNS patches five security holes in widely used nameserver software
https://www.helpnetsecurity.com/2017/11/28/powerdns-patches-five-security-holes/
The Register: Open source nameserver used by millions needs patching
http://www.theregister.co.uk/2017/11/28/powerdns_dnssec_bugs/
INTERNET STORM CENTER TECH CORNER
Passwordless Root Account Allows for Trivial Privilege Escalation on MacOS High Sierra
https://twitter.com/lemiorhan/status/935578694541770752
https://support.apple.com/en-us/HT204012
Apple Releases Security Update 2017-001 to Fix Passwordless Root Bug
https://support.apple.com/en-us/HT208315
Coinhive Miner Now As Pop-Under
Fileless Malicious PowerShell Sample
https://isc.sans.edu/forums/diary/Fileless+Malicious+PowerShell+Sample/23081/
Defeating Facial Recognition
https://arxiv.org/abs/1711.09001
Bitcoin Gold Wallet App Compromise
https://bitcoingold.org/critical-warning-nov-26/
Project Exodus Identified Trackers in Android Apps
https://reports.exodus-privacy.eu.org/reports/apps/
Insecure Android Crypto Currency Wallets
https://www.htbridge.com/news/security-cryptocurrency-mobile-apps.html
.dev TLD Now Requires HTTPS in Chrome
http://www.theregister.co.uk/2017/11/29/google_dev_network/
More Malspam Pushing Emotet Malware
https://isc.sans.edu/forums/diary/More+Malspam+pushing+Emotet+malware/23083/
Google Chrome To Block Some Third Party Software Mid-2018
https://blog.chromium.org/2017/11/reducing-chrome-crashes-caused-by-third.html
European Union Funds VLC Bug Bounty
https://joinup.ec.europa.eu/news/hackerone-vlc
STI Student Scott Perry: Virtual System Forensics
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
