Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #16

February 27, 2018

****************************************************************************

SANS NewsBites               February 27, 2018                Vol. 20, Num. 016

****************************************************************************

TOP OF THE NEWS

Chinese Hackers Breached UK Think Tanks

FTC Warns Users on VPN Apps


REST OF THE WEEK'S NEWS

US Justice Dept. Establishing Cyber-Digital Task Force

Prison Sentence for NanoCore RAT Author

Ethereum Cryptocurrency Stolen from CoinDash is Returned

Coinbase Notifies Customers It Intends to Comply with IRS Request for Information

Private Browsing Lacks Privacy

Flash Flaw Exploited in Another Round of Phishing Attacks

US Intel Says Russia Launched "False Flag" Olympics Cyberattack

Drupal Patches Seven Vulnerabilities

INTERNET STORM CENTER TECH CORNER

 

***************************  Sponsored By Sophos Inc. ***********************


Cybercriminals are smart. Get endpoint protection that's even smarter. Sophos Intercept X is the world's most comprehensive next-gen endpoint protection that finds and stops ransomware and never-seen-before threats. Try for yourself - for free.

http://www.sans.org/info/202260


*****************************************************************************

TRAINING UPDATE


-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018


-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018


-- SANS Northern VA Spring - Tysons 2018 | March 17-24 | https://www.sans.org/event/northern-va-spring-tysons-2018


-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018


-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018


-- SANS at RSA(R) Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018


-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018


-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018


-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018


-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018


-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad, Samsung Galaxy Tab A or take $250 Off your OnDemand or vLive training course by March 7. https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcast - https://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all


*****************************************************************************

TOP OF THE NEWS

 --

Chinese Hackers Breached UK Think Tanks

(February 26, 2018)

Chinese hackers have breached networks at several UK think tanks. The targeted organizations focus on international security and defense.  

[Editor Comments]

Read more in:

BBC: UK think tanks hacked by groups in China, cyber-security firm says

http://www.bbc.com/news/uk-43172371

 

 --

FTC Warns Users on VPN Apps

(February 23, 2018)

In a blog post last week, the US Federal Trade Commission warns consumers to thoroughly research VPN apps before using them. According to a report from researchers at CSIRO, the University of New South Wales, ICSI, and the University of California at Berkeley that examined nearly 300 VPN apps, many did not encrypt traffic and requested information and privileges that could put consumers' privacy at risk. Some VPN apps sell customer data to third parties.


[Editor Comments]

[Ullrich] Aside from the obvious issue of not encrypting traffic, the privacy of VPNs may be subverted at the VPN endpoint by unscrupulous operators intercepting and in some cases even manipulating customer traffic. Also remember that the VPN only replaces one IP address (your home address for example) for a new address (the VPNs IP address) and most tracking technologies do not use the user's IP address but instead rely on browser features to track users. It often is safer and not much more expensive to set up your own VPN endpoint on a cheap cloud server.

 

[Pescatore] The FTC is being its usual proactive self in bringing this issue up, but the guidance pretty much says "research VPN apps before you use them." There are so many bogus product reviews on the Internet that there is other existing guidance around the "Consumer Review Fairness Act" - very confusing. The government can't really recommend any individual review site, but when I get questions like this I usually point to CNET for having a track record of useful and unbiased reviews of consumer software and security products.


Read more in:

FTC: Shopping for a VPN app? Read this.

https://www.consumer.ftc.gov/blog/2018/02/shopping-vpn-app-read

ICIR: An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

http://www.icir.org/vern/papers/vpn-apps-imc16.pdf

SC Magazine: FTC warning users to do homework before using VPN apps

https://www.scmagazine.com/vpn-shoppers-warned-to-do-their-homework-before-using-vpn-apps/article/746475/


**************************  SPONSORED LINKS  ********************************


1) Learn how to scale your security operations center (SOC) to stop more attacks. Register now!  http://www.sans.org/info/202265


2) Register for the Hacking Exposed webinar with Cylance CEO Stuart McClure on March 15.  http://www.sans.org/info/202270


3) Take the SANS IIoT Survey by April 9 to enter to win a $400 Amazon gift card!  http://www.sans.org/info/202275


*****************************************************************************

THE REST OF THE WEEK'S NEWS      

 --

US Justice Dept. Establishing Cyber-Digital Task Force

(February 20, 2018)

The US Department of Justice (DoJ) is establishing a cybersecurity task force to examine Internet-related DoJ cases and to identify how DoJ can better carry out its mission in the digital age.


Read more in:

Cyberscoop: DOJ looks to improve handling of cyberthreats with new task force

https://www.cyberscoop.com/doj-cyber-task-force/

DoJ: Attorney General Sessions Announces New Cybersecurity Task Force

https://www.justice.gov/opa/pr/attorney-general-sessions-announces-new-cybersecurity-task-force


 --

Prison Sentence for NanoCore RAT Author

(February 27, 2018)

Taylor Huddleston has been sentenced to three years in prison for creating and selling a remote access Trojan (RAT) known as NanoCore. Huddleston pleaded guilty in July 2017 to aiding and abetting computer intrusions. The case is unusual because Huddleston was charged not for using the RAT, but for developing and selling it.


Read more in:

The Register: RAT king thrown in the slammer for peddling NanoCore PC nasty

http://www.theregister.co.uk/2018/02/27/nanocore_rat_coder_33_months/

 

 --

Ethereum Cryptocurrency Stolen from CoinDash is Returned

(February 26, 2018)

The thief who stole nearly $40 million worth of Ethereum from CoinDash last summer appears to have returned some of the cryptocurrency to CoinDash. At the time Ethereum was stolen, losses were estimated to be $7 million USD. In September 2017, 10,000 Ethereum were returned, and now CoinDash says an additional 20,000 have been returned. The returned funds now have a value of more than $26 million USD. The thief appears to have kept another 13,400 Ethereum, valued at about $11.7 million USD.


Read more in:

ZDNet: Hacker returns 20,000 ETH stolen during CoinDash ICO

http://www.zdnet.com/article/hacker-returns-20000-eth-stolen-during-coindash-ico/

Bleeping Computer: Hacker Returns $26 Million Worth of Ethereum Back to Hacked Company

https://www.bleepingcomputer.com/news/cryptocurrency/hacker-returns-26-million-worth-of-ethereum-back-to-hacked-company/

 

 --

Coinbase Notifies Customers It Intends to Comply with IRS Request for Information

(February 26, 2018)

Digital currency exchange Coinbase will comply with a court order to provide the US Internal Revenue Service (IRS) with information on approximately 13,000 customers. The IRS is seeking the information as part of a tax evasion case. Coinbase has been asked to provide taxpayer IDs, names, birthdates, addresses, and historical transaction information for customers who made high-value transactions between 2013 and 2015.    


[Editor Comments]

[Pescatore] The IRS put out guidance on the tax treatment of virtual currency trading back in 2014, so this really shouldn't be a surprise.


Read more in:

Ars Technica: Coinbase: We will send data on 13,000 users to IRS

https://arstechnica.com/tech-policy/2018/02/coinbase-we-will-send-data-on-13000-users-to-irs/

Coinbase: IRS Notification

https://support.coinbase.com/customer/portal/articles/2924446

 

 --

Private Browsing Lacks Privacy

(February 26, 2018)

Researchers from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) delivered a paper at the Network and Distributed Systems Security Symposium describing a framework to improve the privacy of private browsing modes. The framework is necessary because even in private modes, browsers can leak information.


[Editor Comments]

[Honan] We need to be careful as to how online privacy is promoted to users. Many think that using privacy mode in their browser makes their activities untraceable. In reality, their DNS provider and/or their VPN provider (see related story) probably know more about their browsing habits than the users themselves.


[Northcutt] You can get most, if not all of their recommendations by running Authentic8 Silo today and it works for most applications;

https://www.authentic8.com

Their highest privacy model related to DOM has been tried, years and years ago there were plugins to open .pdfs and .docx in Google and only send the image of the document to the client. Noscript is probably the most well known, well used, tool to separate the executable stream from the display stream, problem is, not everything is going to work:

https://noscript.net


Read more in:

NDSS: Veil: Private Browsing Semantics Without Browser-side Assistance (PDF)

https://www.ndss-symposium.org/wp-content/uploads/sites/25/2018/02/ndss2018_06B-4_Wang_paper.pdf

The Register: Private browsing isn't: Boffins say smut-mode can't hide your tracks

http://www.theregister.co.uk/2018/02/26/mit_wang_veil_browsing/

 

 --

Flash Flaw Exploited in Another Round of Phishing Attacks

(February 26, 2018)

A phishing campaign is exploiting a known vulnerability in Adobe Flash Player to spread malware through maliciously crafted Word documents. Adobe released a fix for the issue on February 6. Earlier this year, the flaw was being exploited through maliciously crafted Excel documents to target users in South Korea. The more recent set of attacks has been targeting users in the UK and Europe.     


[Editor Comments]

[Murray] Continuous patching, timely or not, will never make Flash safe.  The solution is not to use it.  (I do most of my browsing in iOS Safari where Flash is not supported; it is rare to run across something that I really want to see and cannot.)


Read more in:

Dark Reading: Adobe Flash Vulnerability Reappears in Malicious Word Files

https://www.darkreading.com/threat-intelligence/adobe-flash-vulnerability-reappears-in-malicious-word-files/d/d-id/1331139

 

 --

US Intel Says Russia Launched "False Flag" Olympics Cyberattack

(February 24 & 26, 2018)

US intelligence officials say that Russia was behind cyberattacks on computers by 2018 Windows Olympics officials and that the hackers took steps to make it appear as though the attack came from North Korea. Olympics officials acknowledged that hackers disrupted Wi-Fi availability, broadcast systems, and the Olympic network during the event's opening ceremonies on February 9. Some researchers have warned against attributing the attack.  


[Editor Comments]

[Neely] While attribution has its time and place, correcting the weakness, and instrumenting your systems is more important to prevent the attack in the first place.


Read more in:

Washington Post: Russian spies hacked the Olympics and tried to make it look like North Korea did it, U.S. officials say

https://www.washingtonpost.com/world/national-security/russian-spies-hacked-the-olympics-and-tried-to-make-it-look-like-north-korea-did-it-us-officials-say/2018/02/24/44b5468e-18f2-11e8-92c9-376b4fe57ff7_story.html

Ars Technica: Russia accused of "false flag" attack on Olympic opening

https://arstechnica.com/information-technology/2018/02/russia-accused-of-false-flag-attack-on-olympic-opening/



 --

Drupal Patches Seven Vulnerabilities

(February 23, 2018)

The Drupal security team has released updates for Drupal versions 7 and 8 to address a total of seven vulnerabilities, including two rated critical: a Comment Reply Form issue in Drupal version 8 and a JavaScript function flaw in Drupal versions 7 and 8 that could be exploited to launch a cross-site scripting attack.


[Editor Comments]

[Neely] These flaws can also be exploited to access and update otherwise private and restricted data on a Drupal site.


Read more in:

Threatpost: Drupal Patches Critical Bug That Leaves Platform Open to XSS Attack

https://threatpost.com/drupal-patches-critical-bug-that-leaves-platform-open-to-xss-attack/130070/

Drupal: Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

https://www.drupal.org/SA-CORE-2018-001

 

INTERNET STORM CENTER TECH CORNER

Retrieving Malware Over Tor On Windows (Update)

https://isc.sans.edu/forums/diary/Retrieving+malware+over+Tor+on+Windows/23379/


Blackholing Advertising Sites with Pi-Hole

https://isc.sans.edu/forums/diary/Blackhole+Advertising+Sites+with+Pihole/23377/


FTC Taxslayer Consent Order

https://biglawbusiness.com/cybersecurity-enforcers-wake-up-to-unauthorized-computer-access-via-credential-stuffing/


Fortinet (OMG) Mirai

https://www.fortinet.com/blog/threat-research/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers.html        


Enumerating S3 Buckets

https://github.com/jordanpotti/AWSBucketDump


Creating AWS Network Diagrams

https://github.com/duo-labs/cloudmapper


Selling Macs and "Find my Mac" Feature

https://medium.com/@mulligan/how-i-sold-an-old-mac-and-unknowingly-tracked-its-location-for-over-3-years-9a35cd3ca4cf


Apple Stopping Support for 1st Gen Apple TV and iTunes on Windows XP / Vista

https://support.apple.com/en-us/HT208104

        

******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create