SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #15
February 23, 2018The top two stories in this issue highlight examples of the impact of hidden security threats facing organizations that have moved to the cloud. SANS convened a panel of the top U.S. experts in cloud security on AWS (all senior officials in cybersecurity at huge cloud user organizations) who will present their findings in the form of an invitation-only workshop on "The Top 10 (or so) Cloud Security Mistakes that Create the Greatest Risk." The workshop is planned for San Francisco in May. If you want an invitation, send a note to apaller@sans.org with subject "Cloud Top 10" and a brief summary of what you could add to the discussion or why you are well placed to put the list (which will include best available mitigations) to work to protect one or more large organizations. The preliminary list - developed last month and fleshed out in a workshop earlier this week in San Diego - is troubling because of the large number of organizations that have configured their systems with major vulnerabilities but are unaware.
Alan
****************************************************************************
SANS NewsBites February 23, 2018 Vol. 20, Num. 015
****************************************************************************
TOP OF THE NEWS
Amazon S3 Configuration Error Allowed Cryptomining Code on LA Times Web Page
Tesla Cloud Environment Hacked to Mine Cryptocurrency
US Customs and Border Patrol Not Verifying ePassport Digital Signatures
Making the Case for a Cybersecurity Safety Board
REST OF THE WEEK'S NEWS
JP Morgan Chase Site Bug Let Some Customers View Others' Data
Cisco's 2018 Annual Cybersecurity Report
SEC Updates Cybersecurity Incident Disclosure Guidance
DHS Classified Briefings for State Election Officials
Government Health Benefits Provider Refusing Mandated OPM Audit
DHS is Not Adequately Implementing HSPD-12 Requirements
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk ***************************
Gartner Names Splunk a SIEM Magic Quadrant Leader for the Fifth Year Running!
Gartner recently published its 2017 Magic Quadrant (MQ) for Security Information and Event Management where Splunk was named a leader in the security information and event management (SIEM) market. Read the report to learn why Splunk is part of the select few that can replace outdated SIEM deployments and deliver the security analytics solution of tomorrow. http://www.sans.org/info/202240
*****************************************************************************
TRAINING UPDATE
-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018
-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS Northern VA SpringTysons 2018 | March 17-24 | https://www.sans.org/event/northern-va-spring-tysons-2018
-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018
-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018
-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018
-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018
-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018
-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad, Samsung Galaxy Tab A or take $250 Off your OnDemand or vLive training course by March 7. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
Amazon S3 Configuration Error Allowed Cryptomining Code on LA Times Web Page
(February 22, 2018)
Cryptomining code was found on a Los Angeles Times webpage. The cryptominer from Coinhive harnessed the processing power of devices that visited the page to mine for Monero cryptocurrency. On the LA Times site, the cryptominer was throttled down, making it less likely for users to notice it running in the background of their devices. The code has been removed from the site.
[Editor Comments]
[Williams] ThreatPost and The Register focused on cryptomining - the big story isteh Amazon Web Services configuration error. Cryptominers do not pose much risk to their "victims" other than slightly increasing their power bill. In this case though, the cryptominer was introduced because the S3 bucket being used for content delivery was world writeable. Attackers could have delivered truly destructive malware (like ransomware) using the same techniques. Sadly, the more destructive attack probably would have made more money for the attackers. Amazon needs to seriously ask what purpose world writeable S3 buckets serve and whether the limited use cases for them is worth the significant risks they pose.
Read more in:
Threatpost: Cryptojacking Attack Found on Los Angeles Times Website
https://threatpost.com/cryptojacking-attack-found-on-los-angeles-times-website/130041/
The Register: Guys, you're killing us! LA Times homicide site hacked to mine crypto-coins on netizens' PCs
--
Tesla Cloud Environment Hacked to Mine Cryptocurrency
(February 20, 2018)
Inadequately protected Tesla cloud environment elements were breached to run cryptocurrency mining software. A tesla representative wrote in an email that the issue was addressed within hours of the company being notified.
Read more in:
Ars Technica: Tesla cloud resources are hacked to run cryptocurrency-mining malware
Cyberscoop: Tesla falls victim to cryptomining scheme, minor breach
https://www.cyberscoop.com/tesla-cryptomining-redlock-cloud-breach/
Motherboard: Hackers Infiltrated Tesla to Mine Cryptocurrency
https://motherboard.vice.com/en_us/article/9kzn3a/hackers-infiltrated-tesla-to-mine-cryptocurrency
--
US Customs and Border Patrol Not Verifying ePassport Digital Signatures
(February 22, 2018)
While ePassports were introduced in 2007, and are required of countries on the US visa waiver list for entry into the country, US Customs and Border Patrol (CBP) lacks the necessary technology to verify the digital signatures contained in the documents' chips. Without the means to validate the information, CBP cannot tell if the data have been altered or forged. US Senators Ron Wyden (D-Oregon) and Claire McCaskill (D-Missouri) have sent a letter to the CBP acting commissioner asking that CBP "immediately act to utilize the anti-forgery and anti-tamper features in ePassports."
[Editor Comments]
[Pescatore] Back in 2009, US Customs and Border Patrol (CBP) agreed with the GAO findings and agreed to work with the U.S. Department of State and other parts of DHS to fix the problem. Zero action in 9 years??
Read more in:
ZDNet: US border officials haven't properly verified visitor passports for more than a decade
--
Making the Case for a Cybersecurity Safety Board
(February 21, 2018)
The US National Transportation Safety Board (NTSB) investigates airplane crashes and other transportation incidents in the US, issuing its findings in public reports and suggesting new regulations to improve safety. A similar approach to cybersecurity could help organizations improve their cybersecurity postures.
[Editor Comments]
[Pescatore] Steve Bellovin first proposed this back in 2012, in IEEE Security Privacy; it is a great idea.
Read more in:
The Conversation: How airplane crash investigations can improve cybersecurity
http://theconversation.com/how-airplane-crash-investigations-can-improve-cybersecurity-91177
************************** SPONSORED LINKS ********************************
1) Join us for Build or Buy? Successfully Scaling Your SOC. Register now! http://www.sans.org/info/202245
2) Don't Miss "52% of Companies Sacrifice Cybersecurity for Speed" Register to hear discussion about the current status, gaps, and obstacles of DevSecOps. http://www.sans.org/info/202250
3) Dave Shackleford will discuss his experience reviewing LogRhythm CloudAI as he runs through various use cases, such as insider threat, account compromise and admin abuse. Register: http://www.sans.org/info/202255
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
JP Morgan Chase Site Bug Let Some Customers View Others' Data
(February 22, 2108)
A flaw in the JP Morgan Chase website allowed certain customers to access other customers' personal information. The problem redirected users to others' accounts after login between 6:30PM ET and 9:30PM ET on Wednesday, February 21. Chase official said that they "know for sure the glitch was on our end, not from a malicious actor." The issue has been resolved.
Read more in:
KrebsOnSecurity: Chase 'Glitch' Exposed Customer Accounts
https://krebsonsecurity.com/2018/02/chase-glitch-exposed-customer-accounts/
CNBC: JP Morgan Chase glitch gave some online users access to others' accounts
--
Cisco's 2018 Annual Cybersecurity Report
(February 21, 2018)
According to
Cisco's 2018 Annual Cybersecurity Report
, nearly 40 percent of organizations employ automated cyber-security efforts. Other findings include an increasing use of sophisticated techniques to evade sandboxes and an increase in the "complexity, frequency, and duration" of burst attacks. The findings were drawn from Cisco's own efforts and a survey of 3,600 Chief Information Security Officers (CISOs).Read more in:
eWeek: Cisco Report Finds Organizations Relying on Automated Cyber-Security
http://www.eweek.com/security/cisco-report-finds-organizations-relying-on-automated-cyber-security
Cisco: 2018 Annual Cybersecurity Report
https://www.cisco.com/c/en/us/products/security/security-reports.html
--
SEC Updates Cybersecurity Incident Disclosure Guidance
(February 21, 2018)
The US Securities and Exchange Commission (SEC) has issued revised guidance for private companies regarding disclosure of cybersecurity incidents. The guidance calls for companies to provide more information about cybersecurity incidents in a more timely fashion. The document also says that "directors, officers, and other corporate insiders must not trade a public company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company."
[Editor Comments]
[Pescatore] The 2011 SEC guidance mainly resulted in companies simply adding draconian cyber-risks to their lists of apocalyptic business risks that they enumerate in every release - the "Your Mileage May Vary if the World Ends" section no one reads. Good to see the SEC refine that guidance and remind directors that not only to cyber incidents impact customers, they will impact your ability to profit on trading your company's stock, a nice attention grabber.
Read more in:
SC Magazine: SEC issues cybersecurity guidance disclosure
https://www.scmagazine.com/sec-issues-cybersecurity-guidance-disclosure/article/745806/
Dark Reading: SEC: Companies Must Disclose More Info on Cybersecurity Attacks & Risks
Bleeping Computer: After Intel & Equifax Incidents, SEC Warns Execs Not to Trade Stock While Investigating Security Incidents
Reuters: U.S. SEC calls for 'clearer' cyber risk disclosure from companies
SEC: Commission Statement and Guidance on Public Company Cybersecurity Disclosures (PDF)
https://www.sec.gov/rules/interp/2018/33-10459.pdf
--
DHS Classified Briefings for State Election Officials
(February 20, 2018)
The US Department of Homeland Security (DHS) provided state election officials with classified briefings on election systems cybersecurity. The election officials were in Washington, DC, for a meeting of the National Association for Secretaries of State (NASS) and the National Association of State Election Directors. DHS described the briefings as being "focused on increasing awareness of foreign adversary intent and capabilities against the states' election infrastructure, as well as a discussion of threat mitigation efforts."
Read more in:
FCW: State officials get classified briefings on election security
https://fcw.com/articles/2018/02/20/dhs-state-voting-cyber.aspx?admgarea=TC_Security
--
Government Health Benefits Provider Refusing Mandated OPM Audit
(February 21, 2018)
Health Net of California, a US federal government health benefits provider, is refusing to allow the Office of Personnel Management (OPM) to scan its systems for vulnerabilities. The company's contract with the federal government stipulates that the OPM Office of Inspector General (OIG) has the authority to scan its IT systems. Health Net of California is resisting the audit because it believes the audit's scope - scanning the organizations entire IT environment - is too broad. OPM OIG says that Health Net is in breach of contract. The issue is whether auditors should be allowed to access systems directly or, alternatively, they should be satisfied with the company's own scans.
Read more in:
Nextgov: Federal Health Insurer Denies Auditors Access To Its IT Systems
--
DHS is Not Adequately Implementing HSPD-12 Requirements
(February 20, 2018)
According to an audit from the US Department of Homeland Security (DHS) Office of Inspector General (OIG), DHS is not making progress in implementing the requirements set by Homeland Security Presidential Directive 12 (HSPD-12). Among the concerns the report raises are DHS's failure to ensure that former contractors are prevented from accessing physical facilities and information systems. The DHS is not adequately accounting for and retaining PIV cards from contractors whose work has concluded.
[Editor Comments]
[Murray] In one client, many years ago, we found 400 user accounts that had not been used in more than a year; half of those were assigned to outside contractors.
Read more in:
FCW: IG: DHS still can't account for expired contractor PIV cards
https://fcw.com/articles/2018/02/20/dhs-piv-access-report.aspx?admgarea=TC_Security
DHS OIG: Department-wide Management of the HSPD-12 Program Needs Improvement (PDF)
https://www.oversight.gov/sites/default/files/oig-reports/OIG-18-51-Feb18.pdf
INTERNET STORM CENTER TECH CORNER
Statically Unpacking a Brazilian Banker Malware Sample
https://isc.sans.edu/forums/diary/Statically+Unpacking+a+Brazilian+Banker+Malware/23359/
More Crypto Miners
https://blog.redlock.io/cryptojacking-tesla
Difficulties Detecting Coldroot RAT Affecting MacOS/OSX Systems
https://objective-see.com/blog/blog_0x2A.html
uTorrent Remote Code Execution Vulnerability
https://bugs.chromium.org/p/project-zero/issues/detail?id=1524
Password Spraying for Active Directory Credentials
Critical Cisco Vulnerabilities
https://tools.cisco.com/security/center/publicationListing.x
Windows Privilege Escalation Flaw
https://bugs.chromium.org/p/project-zero/issues/detail?id=1428
Another Intel Spectre Update
https://newsroom.intel.com/news/latest-intel-security-news-updated-firmware-available/
npm Patch kills BSD Systems
http://blog.npmjs.org/post/171169301000/v571
https://github.com/npm/npm/issues/19883
Counterfeit Code Signing Certificates on the Rise
https://www.recordedfuture.com/code-signing-certificates/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create