SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #96
December 8, 2017****************************************************************************
SANS NewsBites December 8, 2017 Vol. 19, Num. 096
****************************************************************************
TOP OF THE NEWS
NIST Releases Second Draft of Cybersecurity Framework
NiceHash Bitcoin Wallet Stolen
Stanford University Chief Digital Officer Loses Job Over Silence on Breach
REST OF THE WEEK'S NEWS
Critical Flaw in Microsoft Malware Protection Engine
Additional Uber Breach Details
US Army Will Recruit Civilian Cybersecurity Experts
Intel ME Flaw Detailed at Black Hat
Apple Updates macOS High Sierra to Version 10.13.2, Releases Details About iOS 11.2 Security Content
December Android Security Bulletin
New US Homeland Security Secretary Has Extensive Cybersecurity Experience
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Netsparker ***********************
Do you have too many web applications but you cannot check the security posture of all of them? Netsparker developed a scalable vulnerability assessment solution that can can thousands of web applications for vulnerabilities such as XSS and SQL Injection in just days instead of months. It also automatically proves the identified vulnerabilities are real and not false positives, thus making it possible to improve the security posture of all your web applications within a reasonable amount of time. http://www.sans.org/info/200575
*****************************************************************************
TRAINING UPDATE
-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018
-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018
-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018
-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018
-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018
-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018
-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Get a 10.5" iPad Pro with Smart Keyboard, or an ASUS Chromebook Flip, or take $400 Off OnDemand or vLive Training when you register by December 13. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
NIST Releases Second Draft of Cybersecurity Framework
(December 6, 2017)
The US National Institute of Standards and technology (NIST) has released the second draft of its Framework for Improving Critical Infrastructure Cybersecurity. The new draft document includes changes to existing guidelines concerning cybersecurity risk self-assessment, as well as new guidelines regarding authorization, authentication, identity proofing, and vulnerability disclosure. The document is open for public comment through Friday, January 19, 2018.
[Editor Comments]
[Paller] Excellent timing and a great start for 2018. The same week that consensus was reached among the U.S., Australian and UK definitions of "minimum acceptable practice (MAP)" in cyber hygiene, NIST's framework points directly to the US version of that consensus: The CIS Critical Security Controls. NIST lists the CIS Controls as a reference along with NIST SP800-53 Rev. 4. Nothing will be published on the multi-national MAP consensus until early in 2018, but knowing you will have powerful external consensus support for getting business units to implement the top 5 CIS critical security controls (plus number 10) should make 2018 a much more productive year for security officers who have long struggled to make broad, important improvements in cyber hygiene.]
NIST: Framework for Improving Critical Infrastructure Cybersecurity: Version 1.1 Draft 2 (PDF)
Dark Reading: NIST Releases New Cybersecurity Framework Draft
https://www.darkreading.com/cloud/nist-releases-new-cybersecurity-framework-draft/d/d-id/1330579
SC Magazine: NIST 1.1 tackles cybersecurity metrics, supply chain
https://www.scmagazine.com/nist-11-tackles-cybersecurity-metrics-supply-chain/article/712414/
--
NiceHash Bitcoin Wallet Stolen
(December 6 & 7, 2017)
Cryptocurrency mining marketplace NiceHash says that a breach of its Bitcoin wallet earlier this week led to the theft of 4,700 Bitcoin, or roughly $70-80 million USD worth of the cryptocurrency. The company says it is working to recover the stolen Bitcoin. NiceHash allows users to buy and sell resources to mine cryptocurrency. (Note: The WSJ story is behind a paywall.)
Read more in:
The Register: NiceHash diced up by hackers, thousands of Bitcoin pilfered
http://www.theregister.co.uk/2017/12/06/nicehash_diced_up_by_hackers_thousands_of_bitcoin_pilfered/
Bleeping Computer: Largest Cryptocurrency Mining Market NiceHash Hacked
https://www.bleepingcomputer.com/news/security/largest-cryptocurrency-mining-market-nicehash-hacked/
BBC: Millions 'stolen' in NiceHash Bitcoin heist
http://www.bbc.com/news/technology-42275523
WSJ: Hackers Steal $70 Million in Bitcoin
https://www.wsj.com/articles/millions-may-be-missing-in-bitcoin-heist-1512625176
--
Stanford University Chief Digital Officer Loses Job Over Silence on Breach
(December 6, 2017)
A Stanford University official has stepped down from his job as Chief Digital Officer (CDO) of the University's Graduate School of Business after failing to disclose a breach that affected student financial aid application data and employee data.
Read more in:
Cyberscoop: Stanford U. official ousted after keeping quiet about huge exposure of sensitive data
************************** SPONSORED LINKS ********************************
1) Did you miss it? "Using Anti-Evasion to Block Stealth Attacks with Minerva Labs" Register: http://www.sans.org/info/200580
2) ICYMI: "Breaking Down the Data: How Secure Are You and Your Supply Chain?" View the Archive: http://www.sans.org/info/200585
3) "Stop All Imposter Threats Coming Into and Going Out of your Organization" with John Pescatore and Ryan Terry. Register: http://www.sans.org/info/200590
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Google Releases Chrome 63
(December 7, 2017)
Chrome 63 has been moved to the stable channel for Windows, Mac, and Linux. The newest version of Google's browser includes fixes for 37 security issues. One of the flaws, an out-of-bounds write in QUIC (Quick UDP Internet Connections), is considered critical. Other changes to Chrome include new site isolation capability, and a feature that lets admins restrict access to browser extensions based on permissions.
Read more in:
Bleeping Computer: Google Chrome 63 Released for Android, Linux, Mac, and Windows
eWeek: Enterprise Chrome Users Get New Browser Security Features
http://www.eweek.com/enterprise-apps/enterprise-chrome-users-get-new-browser-security-features
SC Magazine: Google patches 37 security issues in Chrome
https://www.scmagazine.com/google-patches-37-security-issues-in-chrome/article/712558/
Chrome: Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html
--
Critical Flaw in Microsoft Malware Protection Engine
(December 7, 2017)
Microsoft has fixed a critical remote code execution flaw in its Malware Protection Engine (MPE). The issue arises when affected versions of MPE incorrectly scan a specially-crafted file. The fix requires no action from users.
Read more in:
Cyberscoop: Critical vulnerability found in Microsoft Malware Protection Engine
https://www.cyberscoop.com/critical-vulnerability-hits-microsoft-malware-protection-engine/
Microsoft: Microsoft Malware Protection Engine Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11937
--
Additional Uber Breach Details
(December 6 & 7, 2017)
The massive data breach at Uber was reportedly the work of 20-year-old Florida man. The company appears to have paid the man $100,000 USD through a bug bounty program to destroy the data he allegedly stole. Two anonymous sources say that Uber had the man sign a non-disclosure agreement and that the company conduced a forensic examination of his computer to ensure that the data had been removed.
Read more in:
Reuters: Exclusive: Uber paid 20-year-old Florida man to keep data breach secret - sources
Ars Technica: Uber used bug bounty program to launder blackmail payment to hacker
SC Magazine: Uber paid Florida hacker responsible for breach $100K through bug bounty program
CNET: Florida man, 20, reportedly behind massive hack at Uber
https://www.cnet.com/news/florida-man-20-reportedly-behind-massive-hack-at-uber/
--
US Army Will Recruit Civilian Cybersecurity Experts
(December 5 & 7, 2017)
The US Army has launched a program to directly recruit civilian cybersecurity experts into its cybersecurity workforce. The US Army Cyber Command plans to directly commission five civilians over the next few months, and to continue to commission five additional officers every year for five years.
Read more in:
Stars and Stripes: Army launches direct commissioning program for civilian cybersecurity experts
--
Intel ME Flaw Detailed at Black Hat
(December 6, 2017)
In a presentation at Black Hat Europe, researchers described how a stack buffer overflow flaw in Intel Management Engine (ME) firmware can be exploited to take control of a vulnerable machine, even when the machine is turned off. The exploit requires physical access to the machine. Intel has released a fix for the issue.
Read more in:
BlackHat: How to Hack a Turned-Off Computer, Or Running Unsigned Code in Intel Management Engine
Dark Reading: How the Major Intel ME Firmware Flaw Lets Attackers Get 'God Mode' on a Machine
The Register: Intel Management Engine pwned by buffer overflow
http://www.theregister.co.uk/2017/12/06/intel_management_engine_pwned_by_buffer_overflow/
eWeek: Newly Revealed Flaw in Intel Processors Allows Undetectable Malware
http://www.eweek.com/security/newly-revealed-flaw-in-intel-processors-allows-undetectable-malware
--
Apple Updates macOS High Sierra to Version 10.13.2, Releases Details About iOS 11.2 Security Content
(December 6 & 7, 2017)
Apple's newest version of macOS, High Sierra 10.13.2, includes a fix for the root password security issue that allowed anyone with physical access to a computer running an earlier version of macOS to log in as an administrator. Although Apple released 1OS 11.2 on December 2, the company waited until the release of macOS 10.13.2 to make details about the security content of the iOS update public.
[Editor Comments]
[Northcutt] Haste makes waste. Since this flaw requires physical access to the Mac and because there have been some early problem reports, I recommend that organizations take time to test this update before implementing. If you feel you have to hurry, make sure to have a full backup:
http://bgr.com/2017/11/30/macos-high-sierra-file-sharing-issue-security-update/
Read more in:
eWeek: Apple Updates iOS and macOS With Patches for Critical Security Flaws
http://www.eweek.com/security/apple-updates-ios-and-macos-with-patches-for-critical-security-flaws
Ars Technica: macOS High Sierra 10.13.2 is here with enterprise and security updates
Softpedia: macOS High Sierra 10.13.2 Out with Permanent Fix for Root Password Security Flaw
Apple: About the macOS High Sierra 10.13.2 Update
https://support.apple.com/en-us/HT208179
Apple: About the security content of macOS High Sierra 10.13.2, Security Update 2017-002 Sierra, and Security Update 2017-005 El Capitan
https://support.apple.com/en-us/HT208331
--
December Android Security Bulletin
(December 4, 5, & 6 2017)
Google has released the
December Android Security Bulletin
, which addresses nearly 50 vulnerabilities affecting Nexus and Pixel devices. Google notified partners about the security issues at least one month ago.Read more in:
ZDNet: Android security: Google details Pixel and Nexus vulnerabilities in December bulletin
Threatpost: Google Patches Critical Encryption Bug Impacting Pixel, Nexus Phones
https://threatpost.com/google-patches-critical-encryption-bug-impacting-pixel-nexus-phones/129100/
The Register: Google prepares 47 Android bug fixes, ten of them rated Critical
http://www.theregister.co.uk/2017/12/05/android_december_security_bulletin/
Android: Android Security Bulletin-December 2017
https://source.android.com/security/bulletin/2017-12-01
--
Apache Struts Updates
(December 5, 2017)
The Apache Software Foundation has released two updates to fix vulnerabilities in Apache Struts versions 2.5 to 2.5.14. One of the flaws could be exploited to take control of unpatched systems. Users are urged to upgrade to 2.5.14.1
Read more in:
SC Magazine: Updates address vulnerabilities in Apache Struts versions 2.5 to 2.5.14
US-CERT: Apache Software Foundation Releases Security Updates
Apache: A crafted JSON request can be used to perform a DoS attack when using the Struts REST plugin
https://cwiki.apache.org/confluence/display/WW/S2-054
Apache: Vulnerability in the Jackson JSON library
https://cwiki.apache.org/confluence/display/WW/S2-055
--
New US Homeland Security Secretary Has Extensive Cybersecurity Experience
(December 5, 2017)
The US Senate has confirmed Kristjen Nielsen to be the new Secretary of the Department of Homeland Security (DHS). Nielsen is the former chief of staff to former DHS Secretary John Kelly. Nielsen has extensive experience as a private sector cybersecurity consultant.
Read more in:
Nextgov: Cyber Pro Confirmed as Homeland Security Secretary
http://www.nextgov.com/cybersecurity/2017/12/cyber-pro-confirmed-homeland-security-secretary/144322/
INTERNET STORM CENTER TECH CORNER
AI.Type Data Exposed in MongoDB Database
https://mackeepersecurity.com/post/virtual-keyboard-developer-leaked-31-million-of-client-records
Mailsploit Makes it Easier to Spoof From Headers in E-Mails
StorageCrypt Ransomware Encrypts NAS Devices
Android December Update
https://source.android.com/security/bulletin/2017-12-01
Apple Updates Everything
https://isc.sans.edu/forums/diary/Apple+Updates+Everything+Again/23107/
NiceHash Hacked
https://www.reddit.com/r/NiceHash/comments/7i0s6o/official_press_release_statement_by_nicehash/
Do Not Trust Reverse DNS. And here is an example why
Positive Technologies Demonstrates Intel ME Exploit at Blackhat Europe
Tracking Users Without GPS
http://ieeexplore.ieee.org/document/8038870/
Process Doppelgaenger Anti-Malware Bypass
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
