SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #10
February 6, 2018****************************************************************************
SANS NewsBites February 6, 2018 Vol. 20, Num. 010
****************************************************************************
TOP OF THE NEWS
High School Girls in 16 States Get Fast Track to Cybersecurity Careers
200 NHS Trusts Fail Cyber Security Assessments
NIST Data Protection Standards for Defense and Civilian Contractors
REST OF THE WEEK'S NEWS
Charges Filed in Jackpotting Case
UK Police Take Down LuminosityLink Website
Grammarly Patches Chrome Extension Flaw
Cisco Issues New Fix for ASA Vulnerability
Kelihos Suspect Extradited to US
FBI Warns of Attack Spoofing its Internet Crime Complaint Center (IC3)
Microsoft Products Will Identify and Delete Coercive Software
Allianz Cyberinsurance Discount for Apple and Cisco Users
INTERNET STORM CENTER TECH CORNER
CYBERSTART ANNOUCEMENTS BY STATE GOVERNORS AND WHAT PLAYERS ARE SAYING
*************************** Sponsored By Carbon Black *********************
Get the free Gartner for Endpoint Protection Platforms (EPP) Magic Quadrant Report: http://www.sans.org/info/201790
*****************************************************************************
TRAINING UPDATE
-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018
-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS Northern VA Spring - Tysons 2018 | March 17-24 | https://www.sans.org/event/northern-va-spring-tysons-2018
-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018
-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018
-- SANS at RSA(R) Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018
-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad Mini, Samsung Galaxy Tab S2 or take $300 Off your OnDemand or vLive training course by February 7. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
High School Girls in 16 States Get Fast Track to Cybersecurity Careers
(Feb 4, 2018)
More than 2,100 high school girls signed up for CyberStart in the first 8 days (11 days left) after the governors of Connecticut, Maryland, Texas, Nevada and 12 other states announced the program that allows girls to discover their talent and passion for cybersecurity. (See the 16 governors' announcements and what the players are saying at the end of this NewsBites.)
Try out some of the CyberStart challenges at
https://medium.com/girls-go-cyberstart/girls-go-cyberstart-challenge-teasers-ea7d0c35c5d3
Press:
http://abcnews.go.com/Technology/wireStory/woman-top-game-seeks-girls-cyber-aptitude-52828858
[Editor's Note (Paller): The United Kingdom and two U.S. states (Maryland and Nevada) have launched full-scale "Fast Tracks" to cybersecurity careers that find talent and then guide that talent through additional skills and knowledge development and then into finely tuned internships that make the candidates job-ready. All of the programs start with CyberStart. More info at Cyberstart.us or email support@girlsgocyberstart.us)
--
200 NHS Trusts Fail Cyber Security Assessments
(February 5, 2018)
NHS deputy chief executive Rob Shaw told UK MPs that while not one of the 200 NHS Trusts that has undergone a cybersecurity assessment has met standard requirements, many have taken steps to improve their cyber security posture. Shaw noted that the standard sets a "high bar." Last spring, WannaCry ransomware attack infected computer systems at at least one third of the UK's 236 NHS Trusts as well as nearly 600 GP surgeries.
[Editor Comments]
[Murray] Yesterday's "high bar" is today's essential practice.
Read more in:
The Guardian: Every NHS trust tested for cybersecurity has failed, officials admit
Daily Mail: NHS trusts failing to meet cyber security standards, digital chief reveals
--
NIST Data Protection Standards for Defense and Civilian Contractors
(February 5, 2018)
US federal agencies and contractors are working on adopting the standards laid out in the National Institute of Standards and Technology's (NIST's) SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The publication enumerates standards for handling federal data that are shared on non-government owned systems. Initially, Department of Defense (DoD) contractors had a compliance deadline of January 1, 2018, but the requirement was changed so that contractors needed to have a compliance plan in place by that date. The General Services Administration (GSA) has proposed a rule that would require civilian contractors to comply with the standards as well.
[Editor Comments]
[Murray] The problem is not that we do not know what to do. It is that we lack the will to do it. Standards do not seem to prop up motive.
Read more in:
FNR: Defense, civilian contractors laying groundwork to implement NIST information-sharing framework
NIST: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
************************** SPONSORED LINKS ********************************
1) Crypto Crime: Hunting for Cryptocurrency Mining in Your Enterprise - Register now! http://www.sans.org/info/201795
2) Don't Miss: "A pen-testers perspective on malware & ransomware attack techniques and the state of endpoint security" Register: http://www.sans.org/info/201800
3) "Walk, Run, Fly: Key Characteristics of Attaining an Advanced SOC Best practice tips on how to enter the advanced SOC dimension" Register: http://www.sans.org/info/201805
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Charges Filed in Jackpotting Case
(February 5, 2018)
The US Department of Justice (DoJ) says it has charged two people with bank fraud in connection with ATM jackpotting attacks. Two men, one from Spain, the other from Massachusetts, were arrested on January 27. They appeared before a federal judge in Connecticut on February 5. Jackpotting attacks involve altering and manipulating ATMs to cause them to dispense all their cash.
Read more in:
Reuters: U.S. charges two suspects in ATM 'jackpotting' case
Hartford Courant: Two Charged With Draining ATMs In Hi-Tech "Jackpotting" Scheme
http://www.courant.com/news/connecticut/hc-atm-jackpotting-20180205-story.html
DoJ: Two Men Charged in ATM "Jackpotting" Scheme
https://www.justice.gov/usao-ct/pr/two-men-charged-atm-jackpotting-scheme
--
UK Police Take Down LuminosityLink Website
(February 5, 2018)
The UK's National Crime Agency has taken down the website that sold the LuminosityLink remote access Trojan (RAT). The spyware was marketed as legitimate software that Windows admins could use to manage many computers at the same time. Its features include being able to manage clients through Remote Desktop, keystroke logging, password recovery, and disabling security software. According to the National Crime Agency, the spyware "can no longer be used by those who bought it."
Read more in:
Bleeping Computer: UK Cops Shut Down LuminosityLink RAT Operation
https://www.bleepingcomputer.com/news/security/uk-cops-shut-down-luminositylink-rat-operation/
ZDNet: LuminosityLink spyware giving attackers total control of your PC is taken out by cops
NCA: Data stealing hacking tool taken out of use
http://www.nationalcrimeagency.gov.uk/news/1283-data-stealing-hacking-tool-taken-out-of-use
--
Grammarly Patches Chrome Extension Flaw
(February 5, 2018)
Grammarly has fixed a vulnerability in its Chrome browser extension that exposed authentication tokens to websites, allowing them to take over users' identities and access users' documents. Grammarly pushed out an update to the Chrome web Store and to Mozilla just hours after learning of the issue. Google Project Zero researcher Tavis Ormandy reported the flaw.
Read more in:
Chromium: Grammarly: auth tokens are accessible to all websites
https://bugs.chromium.org/p/project-zero/issues/detail?id=1527&desc=2#maincol
Threatpost: Grammarly Patches Chrome Extension Bug That Exposed Users' Docs
https://threatpost.com/grammarly-patches-chrome-extension-bug-that-exposed-users-docs/129794/
ZDNet: Grammarly's flawed Chrome extension exposed users' private documents
http://www.zdnet.com/article/grammarly-flawed-chrome-extension-exposed-private-documents/
--
Cisco Issues New Fix for ASA Vulnerability
(February 5, 2018)
The flaw in Cisco's Adaptive Security Appliance (ASA) devices that was disclosed last week is broader and more complex that first believed; the patch Cisco released last week does not address all possible attack vectors and affected features. Cisco has released "a new comprehensive fix for Cisco ASA platforms."
Read more in:
Cyberscoop: Cisco investigation reveals ASA vulnerability is worse than originally thought
https://www.cyberscoop.com/cisco-asa-vulnerability-worse-than-thought/
Cisco: Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
--
Kelihos Suspect Extradited to US
(February 2 & 5, 2018)
Peter Levashov, the man believed to be largely responsible for the Kelihos botnet has been extradited to US from Spain, where he was arrested last April. Kelihos, aka Waledac, was used to send hundreds of millions of spam emails. Levashov appeared in US District Court in Bridgeport, Connecticut on Friday, February 2 where be pleaded not guilty to charges related to operating the botnet. (Please note that the WSJ article is behind a paywall.)
[Editor Comments]
[Henry] The ability for law enforcement to work collaboratively with the private sector and international partners, beyond geographic lines, to "reach out and touch" those suspected of criminality, is critical to mitigating this threat. Adversaries will continue to change their attack tactics to defeat defenses, indefinitely, until there's actually a deterrent to their malicious behavior. That includes judicial actions, up to and including incarceration if proven guilty.
Read more in:
Dark Reading: Russian National Arrested for Kelihos Botnet Sent to US
KrebsOnSecurity: Alleged Spam Kingpin 'Severa' Extradited to US
https://krebsonsecurity.com/2018/02/alleged-spam-kingpin-severa-extradited-to-us/
WSJ: Russian Extradited to U.S. to Face Cybercrime Charges Pleads Not Guilty
DoJ: Alleged Operator of Kelihos Botnet Extradited From Spain
https://www.justice.gov/opa/pr/alleged-operator-kelihos-botnet-extradited-spain
--FBI Warns of Attack Spoofing its Internet Crime Complaint Center (IC3)
(February 2, 2018)
Cyber criminals are impersonating the FBI's Internet Crime Complaint center (IC3) to trick users into divulging sensitive information. Some users have received emails purporting to be from IC3, claiming that they are entitled to restitution for being a victim of online fraud. Other reported attack vectors include additional fake emails and a phony IC3 social media page.
[Editor Comments]
[Henry] We've seen criminal actors taking advantage of innocent victims for many years, especially on the heels of national catastrophes such as hurricanes and terrorist events, where they set up mirrored and/or fraudulent websites. In this case, the crooks are capitalizing on victims' interest in being made whole after a loss....though they're once again being victimized via theft of their sensitive data. Vigilance and education are the primary components to overcoming this.
Read more in:
Dark Reading: Cyberattack Impersonates FBI Internet Crime Complaint Center
--
Automation and Orchestration
(January 29, 2018)
Speaking on a panel at the Institute for Critical Infrastructure Technology Winter Summit in Arlington, Virginia last week, DHS deputy chief information security office Paul Beckman said that automation could help the agency address the majority of the gaps in its cyber strategy but that "we still need humans' unique ability for orchestration - the integration of cybersecurity efforts to enable automated incident response."
[Editor Comments]
[Pescatore] Imagine automating and orchestrating an actual orchestra of people who listened to a lot of music, but had never actually played an instrument. The noise produced really wouldn't be much of a threat to a high school band, let alone the Boston Symphony Orchestra...
[Henry]The need to automate security is necessary for effective and efficient response. Human-only intervention on large networks...thousands or even hundreds of thousands of endpoints...can't scale and is bound to fail. Humans need to interpret data anomalies, and can add great value, but the majority of data aggregation, analysis, and integration needs to move to an automated solution
GCN: Addressing cyber gaps with automation and orchestration
https://gcn.com/articles/2018/01/29/cyber-automation-orchestration.aspx
--
Microsoft Products Will Identify and Delete Coercive Software
(January 31, 2018)
Starting on March 1, 2018, Microsoft Windows Defender Antivirus, along with other Microsoft security products, will begin detecting and deleting so-called "free" software that claims to scan users' computers for security issues and tries to scare them into paying for upgrades to premium versions of the software.
Read more in:
Tech Republic: Windows will delete software that scares users into paying for upgrades
Microsoft: Protecting customers from being intimidated into making an unnecessary purchase
--
Allianz Cyberinsurance Discount for Apple and Cisco Users
(February 5, 2018)
Insurance company Allianz announces discount including lower, or no deductible, for customers using Cisco Ransomware Defense or Apple's iPhone, iPad and Mac. Apple and Cisco have been working for three years to make their products more compatible with each other.
[Editor Comments]
[Northcutt] The concept of rewarding insurees for good choices makes all the sense in the world, but we really haven't seen it happen. There was the Chubb Core Impact matchup in 2009. It is certainly an idea whose time has come. Here is hoping there is more to come.
Read more in:
http://fortune.com/2018/02/05/apple-cisco-allianz-cybersecurity-insurance/
INTERNET STORM CENTER TECH CORNER
Simple but Effective Malicious XLS Sheet
https://isc.sans.edu/forums/diary/Simple+but+Effective+Malicious+XLS+Sheet/23305/
Botnet Taking Advantage of Exposed Debug Port
Quantifying Untrusted Symantec Certificates
https://arkadiyt.com/2018/02/04/quantifying-untrusted-symantec-certificates/
Cisco Releases New Fix for ASA Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1
TLS Extension Covert Channel
https://www.fidelissecurity.com/threatgeek/2018/02/exposing-x509-vulnerabilities
CSRF Token Exfil via CSS
https://github.com/dxa4481/cssInjection
CYBERSTART ANNOUCEMENTS BY STATE GOVERNORS AND WHAT PLAYERS ARE SAYING
Girls who attend high school in these states are eligible
Delaware: https://news.delaware.gov/2018/01/22/girls-go-cyberstart/
Maine: https://mainedoenews.net/2018/01/16/media-release-maine-partners-in-national-innovative-cybersecurity-opportunity-for-young-women-in-high-school/ Plus Main Governor's tweet announcing it
Mississippi: http://www.wtok.com/community?c=y&date=1/15/2018
North Carolina: https://governor.nc.gov/news/gov-cooper-encourages-nc-high-school-girls-join-innovative-cybersecurity-competition
American Samoa: http://www.samoanews.com/local-news/american-samoa-participate-girls-go-cyberstart-challenge
The game play begins at 9:00 a.m. on February 20 and stops at 11:59 p.m. on February 25. To learn more, visit https://girlsgocyberstart.com/.
Here are a few of the notes college and high school students wrote their governors last summer, illustrating how the program inspires as well as teaches and finds talent. All are posted in the governors' booklets at cyberstart.us
HIGH SCHOOL
1. Thank you so much for bringing this challenge to our area. It has opened up an entire world that was previously closed to me. (Laura Garman, Briar Woods HS, Virginia, Grade 11)
2. In my high school, there are rarely any opportunities like this where someone like me who knows nothing about cybersecurity can, one, learn about it, and two, love everything about it, from the difficult puzzles to the unique challenges. I hope that something like this will be offered again - not only to me but to all those who have been waiting for this golden opportunity in their lives. (Carl Antiado, H.P. Baldwin HS, Maui, Grade 11)
3. I love the fact I can build upon my existing knowledge in programming and networking from school and apply it to solve challenging technical problems that I have never faced before. This has been a fantastic experience. (Matthew Cinnamon, Forest Park HS, Virginia. Grade 12)
4. Thank you for the opportunity! I had no knowledge of the cybersecurity field, but I wanted to learn. This program helped me do so. (Alec Shalk, Smyrna High School, Delaware, Grade 12)
COLLEGE
1. You can't imagine how much this helped me improve my skills in multiple programming languages, and with understanding what cybersecurity really is. (Chioma Nwizu, Iowa State University, Iowa College Freshman)
2. Thanks! CyberStart has been a lot of fun so far, and it's an exciting test of abilities that I haven't been able to learn at school. (Noah Hattrick, Spring Arbor Univ., Michigan, College Senior)
3. This program taught me more than an entire semester in college (Ryan Nakata, University of Hawaii, College Junior)
4. This was amazing. Even as a 5th year computer science student I was learning new things. I especially liked how it encouraged you to do the research necessary to solve the problems: it didn't just show you how to do everything. (Jordan Newton, George Mason University, College Senior)
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create