Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #95

December 5, 2017


****************************************************************************

SANS NewsBites               December 5, 2017                Vol. 19, Num. 095

****************************************************************************

TOP OF THE NEWS

Uber Security Managers Resign

Google Revises Safe Browsing Rules

Virginia Students Awarded 0,000 in Cyber Security Scholarships

Former NSA Hackers Concerned Over Possibility of Reciprocal Indictments

REST OF THE WEEK'S NEWS

Apple Releases iOS 11.2

PayPal Acknowledges TIO Networks Data Breach

Man Tries to Hack Prison System to Gain Friend's Early Release

UK MP Says She Shares Work Computer Login with Staff

Some Vendors Offering to Ship Computers with Intel ME Disabled

Former Employee Gets Prison Sentence for Intellectual Property Theft

Guilty Plea in NSA Data Theft Case

Apple's Bug Fix Has a Bug

INTERNET STORM CENTER TECH CORNER


***************************  Sponsored By Sophos Inc. ***********************


Do you really know what your network is up to? On average 60% of corporate traffic is unidentified. Read the whitepaper to learn more about network visibility, the risks from unidentified traffic and the critical features to solve the issue. Download whitepaper >>

http://www.sans.org/info/200290


*****************************************************************************

TRAINING UPDATE


-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018


-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018


-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018


-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018


-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018


-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018


-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018


-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018


-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018


-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Get a 10.5" iPad Pro with Smart Keyboard, or an ASUS Chromebook Flip, or take $400 Off OnDemand or vLive Training when you register by December 13. https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcast - https://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all


*****************************************************************************

TOP OF THE NEWS

 --

Uber Security Managers Resign

(December 1, 2017)

Three members of Uber's security team have resigned in the wake of a massive breach of company data that was not disclosed in a timely manner. Uber paid hackers $100,000 USD in an attempt to cover up the breach. Uber is also facing allegations that it has employed people to spy on rival companies' computers and has taken steps to thwart investigations. (Note: the WSJ story is behind a paywall.)


Read more in:

CNBC: 3 top Uber managers resign amid backlash from data breach and Waymo lawsuit revelations

https://www.cnbc.com/2017/12/01/3-top-uber-mangers-resign-after-data-breach-lawsuit-hearing.html

WSJ:

Uber Security Managers Resign

in Wake of Hack, Surveillance Allegations

https://www.wsj.com/articles/uber-security-managers-resign-in-wake-of-hack-surveillance-allegations-1512181541

 

 --

Google Revises Safe Browsing Rules

(December 4, 2017)

Google is notifying app developers that they have two months to ensure that their apps are compliant with its Unwanted Software policy. Apps that are not in line with the policy by the end of January 2018 will cause Google Safe Browsing to show warnings on apps and websites leading to apps that collect personal user data without consent. Apps that collect and transmit user data unrelated to the app's functionality must also obtain "affirmative consent" from users.  


[Editor Comments]

[Pescatore] Continuing kudos to Google for continual raising of the privacy and security bar for software vendors that want to sell through the Google Play app store. Google's own security and privacy practices seem to also improve steadily over time. They have a powerful incentive: more than 90% of Google's revenue comes from convincing individuals to share information so Google can use that information in its search engine and in selling targeted advertising. A suggestion for Google's New Year's resolutions: drive a doubling of the number of people using strong authentication across its services.


Read more in:

The Register: Google to crack down on apps that snoop

http://www.theregister.co.uk/2017/12/04/expanded_google_unwanted_software_policy/

ZDNet: Google cracks down on apps that snoop on you, even if they're not in Play Store

http://www.zdnet.com/article/google-cracks-down-on-apps-that-snoop-on-you-even-if-theyre-not-in-play-store/

Google: Additional protections by Safe Browsing for Android users

https://security.googleblog.com/2017/12/additional-protections-by-safe-browsing.html


 --Virginia Students Awarded $140,000 in Cyber Security Scholarships

(November 29 & 30, 2017)

Students in Virginia have been awarded $140,000 USD in scholarships through the SANS Institute CyberStart online cyber security skills aptitude pilot program. Of the 1980 students in Virginia who registered to participate, 843 qualified for the CyberStart Game. Ten students from Virginia finished in the top 20 overall. Sixty-two Virginia students won scholarships for further cybersecurity education and training. In all, seven states participated in the program.


[Editor Comments]

(Paller) Fifteen governors will launch "Girls4CyberStart" in January to allow all high school girls in their states to discover whether they have a talent (even a hidden talent) and whether they would enjoy working in the field. More about the game the governors will launch is at CyberStart.us


Read more in:

Governor of Virginia:

Governor McAuliffe Announces Virginia Students Awarded $140,000 in Cyber Security Scholarships

https://governor.virginia.gov/newsroom/newsarticle?articleId=21852  


 --

Former NSA Hackers Concerned Over Possibility of Reciprocal Indictments

(December 1, 2017)

In the wake of the US Justice Department's indictments of three Chinese hackers believed to have been working on behalf of the government there, former NSA elite hackers have expressed concerns that they could face similar action from China or Russia. Jake Williams has called "on the federal government to formally and publicly tell all US gov hackers (current and former) that we will be protected, not extradited."


[Editor Comments]

[Williams] US Cyber Command continues to have recruiting challenges. As we try (and often fail) to recruit the best and the brightest to work in US cyber, charging their foreign counterparts is definitely not a winning move.  There are questions that need to be answered: Do we consider state sponsored hackers spies? If so, are their actions criminal or diplomatic issues?  The US will set the norms in how these cases are handled, and we need to do that before our people are charged.


Read more in:

Motherboard: Ex-NSA Hackers Worry China And Russia Will Try to Arrest Them

https://motherboard.vice.com/en_us/article/a3jzke/ex-nsa-hackers-worry-china-and-russia-will-try-to-arrest-them


**************************  SPONSORED LINKS  ********************************


1) Join FireEye Product Marketing Director, Dan Reis for a webcast "The Convergence of EPP and EDR: Tomorrows Solution Today." Register:  http://www.sans.org/info/200295


2) ICYMI: "Breaking Down the Data: How Secure Are You and Your Supply Chain?" View the Archive: http://www.sans.org/info/200300


3) Register for this webcast to explore how continuous security validation can help you address your security effectiveness. http://www.sans.org/info/200305


*****************************************************************************

THE REST OF THE WEEK'S NEWS   

 --

Apple Releases iOS 11.2

(December 4, 2017)

Apple has released iOS 11.2 ahead of schedule to address a problem that caused many iPhones and other devices that run the mobile operating system to crash at 12:15 AM on December 2 as well as additional security issues. Users are being advised to turn off notifications for all apps on the device before installing the update.


[Editor Comments]

[Ullrich] Apple had a pretty bad week. First the password-less root login in macOS, and now the "December 2nd" crash with iOS. The release of iOS 11.2 was rushed, and so far, no details about security fixes have been released. Apple also released an updated tvOS on Monday. Typically, Apple releases updates for all of its products at the same time. iOS, macOS, watchOS and tvOS share a lot of code, and vulnerabilities often affect all of them. As a result, releasing one of them "out of band" puts other operating systems at risk if vulnerability details are released. Expect updates of macOS in the next few days.

 

Read more in:

Ars Technica: iOS 11.2 fixes date bug that crashes iDevices, begins Apple Pay Cash rollout

https://arstechnica.com/gadgets/2017/12/ios-11-2-fixes-date-bug-that-crashes-idevices-begins-apple-pay-cash-rollout/

Apple Support: If your iPhone, iPad, or iPod touch unexpectedly restarts

https://support.apple.com/en-us/HT208332

 

 --

PayPal Acknowledges TIO Networks Data Breach

(December 4, 2017)

PayPal has acknowledged that a data breach at recently-acquired payment processor TIO Networks affected the personally identifiable information of about 1.6 million customers. In early November, PayPal suspended operations at TIO Networks; the reason given for the suspension was to "protect customer data as part of an ongoing investigation of security vulnerabilities of the TIO platform."


[Editor Comments]

[Northcutt] These days data breaches are priced into the merger and acquisition process, just another negative on the balance sheet like uncollectible debts:

https://www.csoonline.com/article/3119865/security/mergers-create-greater-security-risk.html

https://www.cio.com/article/3105276/mergers-acquisitions/making-cybersecurity-a-priority-in-mergers-and-acquisitions-integration.html

http://www.ey.com/gl/en/services/advisory/ey-cybersecurity-cyber-threat-flash-points-mergers-and-acquisitions

 

Read more in:

SC Magazine: Data breach at PayPal's TIO Networks unit affects 1.6 million customers

https://www.scmagazine.com/data-breach-at-paypals-tio-networks-unit-affects-16-million-customers/article/711484/

 

 --

Man Tries to Hack Prison System to Gain Friend's Early Release

(December 4, 2017)

A man who broke into a Michigan prison computer network in an attempt to arrange an early release for a friend has been caught. Konrad Voits set up a phishing domain through which he obtained account access credentials for 1,600 Washtenaw County employees, including at least one account that allowed him to access an inmate tracking system used at the local prison. Voits's activity raised red flags in the system and he was ultimately caught.  


[Editor Comments]

[Ullrich] Prison staff probably checked the "paper records" in addition to the online records not because they were afraid of a breach, but likely because the online data quality is poor and often inaccurate even without someone manipulating it.

 

Read more in:

The Register: Prison hacker who tried to free friend now likely to join him inside

https://www.theregister.co.uk/2017/12/04/prison_hacker_pleads_guilty/

 

 --

UK MP Says She Shares Work Computer Login with Staff

(December 3 & 4, 2017)

UK MP Nadine Dorries revealed on Twitter that she shares her computer access credentials with staff members and temporary interns. Dorries offered the information in defense of MP Damian Green who is under investigation for having pornography on his government computer. Dorries was attempting to call into question the assertion of law enforcement that Green is responsible for data found on his computer.


[Editor Comments]

[Honan] This shows why effective security awareness training needs to include senior staff, and demonstrates why regular contact between the security team and the users is essential to ensure the correct security controls are in place to support the business need. By meeting business people and understanding the challenges they face we can implement more effective security controls that do not get in the way of how people work but instead enable them to work more securely. As an aside, the Information Commissioner's Office in the UK tweeted out guidance to MPs and others in response to this issue https://twitter.com/ICOnews/status/937654177571983362


Read more in:

The Register: Brit MP Dorries: I gave my staff the, um, green light to use my login

http://www.theregister.co.uk/2017/12/04/dorries_i_give_my_staff_my_login_details/

The Guardian: Nadine Dorries under fire for lax attitude to cybersecurity

https://www.theguardian.com/politics/2017/dec/03/nadine-dorries-under-fire-for-lax-attitude-to-cyber-security

 

 --

Some Vendors Offering to Ship Computers with Intel ME Disabled

(December 3, 2017)

At least three computer vendors are now offering customers the option of purchasing devices without Intel Management Engine (ME), which was recently found to contain security flaws. The companies are also offering to provide firmware updates that disable the Intel ME technology.  


[Editor Comments]

[Northcutt] We have known about the risk of Intel computers with an undocumented CPU and OS for 10 years, but things really started to unravel this year. No known security countermeasure, anti-virus and similar tools are ineffective, any file can be accessed. Prediction: within 6 months someone will show how it is possible to access the Intel Management Engine despite firmware fixes:

https://www.theregister.co.uk/2017/11/09/chipzilla_come_closer_closer_listen_dump_ime/


Read more in:

Bleeping Computer: Dell, Other Vendors Start Shipping Laptops With Intel ME Firmware Disabled

https://www.bleepingcomputer.com/news/hardware/dell-other-vendors-start-shipping-laptops-with-intel-me-firmware-disabled/

 

 --

Former Employee Gets Prison Sentence for Intellectual Property Theft

(December 3, 2017)

A former IT manager has been sentenced to six years in prison for breaking into his former employer's network and stealing data. Jacob Raines resigned his position at American Crane & Tractor Parts (AC&TP) in March 2014 after working as the company's IT manager for 10 years. Raines's replacement, who had been given Raines's old computer, noticed in May 2014 that someone had logged into the PC and was initiating an FTP transfer. An investigation revealed that Raines had logged into the machine several times with the apparent intent of stealing AC&TP source code. While searching Raines's home, FBI agents also found evidence that he had accessed child pornography.   


Read more in:

Bleeping Computer: Former Sysadmin Caught Hacking His Ex-Employer by His Replacement

https://www.bleepingcomputer.com/news/security/former-sysadmin-caught-hacking-his-ex-employer-by-his-replacement/

 

 --

Guilty Plea in NSA Data Theft Case

(December 1 & 2, 2017)

Former National Security Agency (NSA) employee Nghia Hoang Pho has admitted to taking home classified data and keeping them on his home computer. US officials believe that hackers working on behalf of the Russian government then stole the information from Pho's computer. Pho has pleaded guilty to "willful retention of national defense information." Pho began working as a developer the NSA's Tailored Access Operations (TAO) unit in 2006. Sentencing is scheduled for April 6.


Read more in:

KrebsOnSecurity: Former NSA Employee Pleads Guilty to Taking Classified Data

https://krebsonsecurity.com/2017/12/former-nsa-employee-pleads-guilty-to-taking-classified-data/

NYT: Former N.S.A. Employee Pleads Guilty to Taking Classified Information

https://www.nytimes.com/2017/12/01/us/politics/nsa-nghia-pho-classified-information-stolen-guilty.html?_r=0

ZDNet: NSA employee pleads guilty after stolen classified data landed in Russian hands

http://www.zdnet.com/article/former-nsa-staffer-pleads-guilty-after-classified-data-theft/

CNET: NSA staffer pleads guilty to taking home top secret files

https://www.cnet.com/news/kaspersky-nsa-staffer-pleads-guilty-hacking-tools/

 

 --

Apple's Bug Fix Has a Bug

(December 1 & 2, 2017)

The fix Apple rushed out last week for macOS last week to address a flaw that allowed anyone to log in as a systems administrator on machines running macOS High Sierra has a bug of its own. Users who had not updated to macOS 10.13.1 and had received the emergency update found that the patch was undone when they did install 10.13.1. The issue can be fixed by installing the patch again once users have updated to the newest version of the operating system, but it will not take effect until the computer is rebooted.    


Read more in:

Wired: macOS Update Accidentally Undoes Apple's "Root" Bug Patch

https://www.wired.com/story/macos-update-undoes-apple-root-bug-patch/

Ars Technica: Updating macOS can bring back the nasty "root" security bug

https://arstechnica.com/gadgets/2017/12/updating-macos-can-bring-back-the-nasty-root-security-bug/

CNET: iOS crashes and MacOS flaws? Here's what to do

https://www.cnet.com/news/iphone-crashing-ipad-ios-112-macos-root-flaw/

 

INTERNET STORM CENTER TECH CORNER

Brazilian Banking Malware Uses UTF-16 Encoded .BAT File

https://isc.sans.edu/forums/diary/Phishing+campaign+uses+old+bat+script+to+spread+banking+malware+and+it+is+flying+under+the+radar/23091/


Phishing Abuse of JotForm

https://isc.sans.edu/forums/diary/Phishing+Kit+AbUsing+Cloud+Services/23089/


Apple Releases iOS 11.2

(no details live yet)

https://support.apple.com/en-us/HT201222


Slurp S3 Bucket Enumerator

https://github.com/bbb31/slurp.git


Incidence Response Using TheHive

https://isc.sans.edu/forums/diary/IR+using+the+Hive+Project/23099/


SeKey: Touch ID Control for ssh-agent

https://github.com/ntrippar/sekey


SSL/TLS For Scapy

https://github.com/tintinweb/scapy-ssl_tls


tvOS 11.2 Released (but no details about security content yet)

https://support.apple.com/en-us/HT201222


System Vendors Ship Laptops With Intel ME Disabled

https://www.reddit.com/r/linuxhardware/comments/7grglm/how_to_buy_a_dell_laptop_with_the_intel_me/

http://blog.system76.com/post/168050597573/system76-me-firmware-updates-plan

 

Hacker Falsified Jail Records To Free Friend

https://www.justice.gov/usao-edmi/pr/ann-arbor-man-pleads-guilty-computer-intrusion-case


Critical Patch For RSA Authentication Agent

http://seclists.org/fulldisclosure/2017/Nov/46

https://community.rsa.com/community/products/securid/authentication-agent-web-apache


******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create