SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #17
March 2, 2018****************************************************************************
SANS NewsBites March 2, 2018 Vol. 20, Num. 017
****************************************************************************
TOP OF THE NEWS
NSA Director Says President Has Not Directed Him to Take Action on Russian Meddling
Misconfigured Memcached Servers Used as DDoS Amplification Vector
GitHub Hit with Amplified DDoS
REST OF THE WEEK'S NEWS
Germany Government Computers Infiltrated, Data Stolen
Equifax Finds More Breached Accounts
Google Releases Stats on Flash Use in Chrome
USAF Working on Baked-in Software Security
National Nuclear Security Administration Seeks Cybersecurity Contractor
Tim Hortons Cash Registers Infected with Malware
DHS Disputes News Report That Russia Compromised Voting Systems Before 2016 Elections
H-1B Visa Situation Discouraging Foreign Tech Specialists
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk ***************************
Gartner Names Splunk a SIEM Magic Quadrant Leader for the Fifth Year Running! Gartner recently published its 2017 Magic Quadrant (MQ) for Security Information and Event Management where Splunk was named a leader in the security information and event management (SIEM) market. Read the report to learn why Splunk is part of the select few that can replace outdated SIEM deployments and deliver the security analytics solution of tomorrow. http://www.sans.org/info/202355
*****************************************************************************
TRAINING UPDATE
-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS Northern VA SpringTysons 2018 | March 17-24 | https://www.sans.org/event/northern-va-spring-tysons-2018
-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018
-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018
-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018
-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018
-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018
-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018
-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad, Samsung Galaxy Tab A or take $250 Off your OnDemand or vLive training course by March 7. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
NSA Director Says President Has Not Directed Him to Take Action on Russian Meddling
(February 27 & 28, 2018)
Earlier this week, National Security Agency (NSA) Director Admiral Michael Rogers told the US Senate Armed Services Committee that action taken by the government in response to Russia's election meddling have been ineffective. Rogers, who is also the Commander of US Cyber Command, told legislators that unless action is taken, Russia will not stop interference, and that the president has not directed him to take action against the Russian attacks.
[Editor Comments]
[Murray] Adm. Rogers was careful to caution that the best response to a cyber attack may not be cyber but that what we are doing now is not sufficient to discourage the Russians.
Read more in:
Ars Technica: Why US "cyber-warriors" can't do anything about Russian "cyber-meddling"
SC Magazine: NSA chief hasn't been give the authority to battle Russian interference
The Register: NSA boss: Trump won't pull trigger for Russia election hack retaliation
http://www.theregister.co.uk/2018/02/27/nsa_russia_election_hacking/
Cyberscoop: NSA chief ripped by Congress for cyberwar process he doesn't control
--
Misconfigured Memcached Servers Used as DDoS Amplification Vector
(February 27 & 28 & March 1, 2018)
A February 27 Cloudflare blog post notes a significant increase in amplification attacks using the memcached protocol from UDP port 11211. Other organizations have reported the technique as well.
How Did This Memcache Thing Happen?
https://isc.sans.edu/forums/diary/How+did+this+Memcache+thing+happen/23391/
[Editor Comments]
Read more in:
Internet Storm Center:
Cloudflare: Memcrashed - Major amplification attacks from UDP port 11211
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
US-CERT: UDP-Based Amplification Attacks
https://www.us-cert.gov/ncas/alerts/TA14-017A
ZDNet: Memcached DDoS: The biggest, baddest denial of service attacker yet
http://www.zdnet.com/article/memcached-ddos-the-biggest-baddest-denial-of-service-attacker-yet/
The Register: Popular cache utility exploited for massive reflected DoS attacks
http://www.theregister.co.uk/2018/02/28/memcached_reflected_dos_attacks/
SC Magazine: Flurry of ultra-amplified attacks point to UDP port emanating from memcached servers
Ars Technica: In-the-wild DDoSes use new way to achieve unthinkable sizes
eWeek: Attackers Using Memcached Servers to Amplify DDoS Attacks
http://www.eweek.com/security/attackers-using-memcached-servers-to-amplify-ddos-attacks
Threatpost: Misconfigured Memcached Servers Abused to Amplify DDoS Attacks
https://threatpost.com/misconfigured-memcached-servers-abused-to-amplify-ddos-attacks/130150/
--
GitHub Hit with Amplified DDoS
(March 1, 2018)
On Wednesday, February 28, GitHub was hit with a distributed denial-of-service (DDoS) amplification attack that at its peak reached 1.35 Tbps. The attack rendered GitHub unavailable for roughly five minutes and intermittently available for about another five minutes.
Read more in:
https://githubengineering.com/ddos-incident-report/
http://powerofcommunity.net/poc2017/shengbao.pdf
GitHub: February 28th DDoS Incident Report
https://githubengineering.com/ddos-incident-report/
ZDNet: GitHub hit with the largest DDoS attack ever seen
http://www.zdnet.com/article/github-was-hit-with-the-largest-ddos-attack-ever-seen/
eWeek: GitHub Hit By Largest DDoS Attack Ever Recorded at 1.35 Tbps
http://www.eweek.com/security/github-hit-by-largest-ddos-attack-ever-recorded-at-1.35-tbps
************************** SPONSORED LINKS ********************************
1) Take the SANS IIoT Survey by April 9 to enter to win a $400 Amazon gift card! http://www.sans.org/info/202360
2) Use Bro logs in Splunk to answer critical IR questions and resolve security incidents and alerts in minutes, not hours or days. Learn More: http://www.sans.org/info/202365
3) Don't Miss: "52% of Companies Sacrifice Cybersecurity for Speed" with
Pete Cheslock & Franklin Mosley. http://www.sans.org/info/202370
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Germany Government Computers Infiltrated, Data Stolen
(March 1, 2018)
Germany's government computer networks have been targeted in a cyber attack. The intruders were first detected in December 2017. They were able to steal information and may have been exfiltrating data for as long as a year before they were detected. Reports suggest that the attacks may be the work for a hacking group known as Fancy Bear or APT28.
Read more in:
The Register: German government confirms hackers blitzkrieged its servers to steal data
ZDNet: Russians suspected of new German attack may 'have been inside system for a year'
Reuters: German government under cyber attack, shores up defenses
--
Equifax Finds More Breached Accounts
(March 1, 2018)
Equifax has determined that an additional 2.4 million accounts were compromised in its massive data breach, bringing the total number of compromised accounts associated with US consumers to 147.9 million.
[Editor Comments]
[Neely] While this is not an additional breach, I am surprised to still find people who think they were not impacted. Waiting for the notification that your information has been exposed is not optimal. We all need to be proactive and get credit monitoring and freeze our credit.
Read more in:
SC Magazine: Equifax breach worse than thought, consumers affected now total 147.9M
--
Google Releases Stats on Flash Use in Chrome
(February 28, 2018)
According to statistics from Google, the percentage of Chrome users who had used Flash (measured by loading at least one page with Flash content a day) has dropped from 80 percent in 2014 to just eight percent earlier this year. Last year, Adobe announced that it would end support for Flash by 2020.
[Editor Comments]
[Pescatore] Doesn't seem that long ago that everyone thought "We can't just block Flash, users and management will never stand for it." There are lots of mythical "third rails" like that - CEOs and CIOs and VPs of Sales who are using fingerprint authentication on their personal mobile phone and SMS messaging two factor authentication on their personal PayPal account, but at work are only offered reusable passwords. "We can't get the business side to accept the use of DMARC reject policies on email" is another largely juice-less third rail these days.
[Neely] Many institutions have created educational materials with rich content based on flash which will take time and effort to migrate to alternatives such as HTML5. If you're in this category, verify the migration project is underway now to insure completion before Flash is deprecated.
Read more in:
Bleeping Computer: Google Chrome: Flash Usage Declines from 80% in 2014 to Under 8% Today
--
USAF Working on Baked-in Software Security
(February 28, 2018)
The US Air Force's Air Operations Center (AOC) Pathfinder Project is working on baking security into its software development process. Speaking at the AFCEA Cybersecurity Technology Summit, Air Force Cyberspace Innovation Director Lauren Knausenberger noted that "Our goal in the near term is to certify the AOC software factory so everything coming out is automatically certified."
[Editor Comments]
[Neely] The Air Force is leveraging lessons learned from their bug bounty program to deliver secure software, with automated testing and validation, from the get-go, in an environment that leverages agile software development should yield a model that others can follow as well. The clich of security after the fact must become a thing of the past.
[Pescatore] "Baked-in security" is of course good, but meeting government/military certification requirements really does not equate to actual security - just the paperwork covering an Authority to Operate decision. The good news is the AF and much of the rest of the military does seem to focus more on "actually test the software for vulnerabilities before release" vs. "document that security features in the software are there" kind of certification.
Read more in:
GCN: Air Force tests baked-in software security
https://gcn.com/articles/2018/02/28/af-aoc-pathfinder.aspx?admgarea=TC_SecCybersSec
--
National Nuclear Security Administration Seeks Cybersecurity Contractor
(February 28, 2018)
The US National Nuclear Security Administration is seeking companies that can help with the physical and cybersecurity of facilities that store nuclear and related materials. The company that is granted the contract will undertake a number of responsibilities, including developing cyberattack scenarios and strategies for protecting facilities and systems from those attacks, and conducting vulnerability assessments and equipment tests.
[Editor Comments]
[Neely] The Sources Sought Notice nicely covers the key elements in securing these facilities, including training, assessment and ongoing oversight and is an opportunity to get a fresh perspective for this work. Unfortunately, the notice requires a high degree of familiarity with NNSA that it is likely to only attract existing sub-contractors.
Link to the Sources Sought Notice: https://www.fedconnect.net/FedConnect/default.aspx?ReturnUrl=%2fFedConnect%2f%3fdoc%3d89233118NNA000010%26agency%3dDOE&doc=89233118NNA000010&agency=DOE
Read more in:
Nextgov: Nuclear Agency Wants Info on Securing Radioactive Waste from Cyberattacks
--
Tim Hortons Cash Registers Infected with Malware
(February 28, 2018)
As-yet unspecified malware had rendered cash registers at hundreds of Tim Hortons restaurants in Canada inoperable.
Read more in:
SC Magazine: Malware forces closure of hundreds of Tim Hortons outlets across Canada
https://www.scmagazine.com/tim-hortons-hit-with-malware-forcing-hundreds-to-close/article/747271/
--
DHS Disputes News Report That Russia Compromised Voting Systems Before 2016 Elections
(February 28, 2018)
The US Department of Homeland Security (DHS) is refuting claims made in an NBC News report that Russia breached voter sites and registration systems in seven US states prior to the November 2016 presidential election. The news report cited unnamed US officials as saying that there was evidence that the systems had been compromised but that the states were not informed. Alaska's top election official Josie Bahnke said that according to information she received from DJS, Russian scanned a public elections website but got no further.
[Editor Comments]
[Williams] Without robust monitoring of state (and county) election commission networks nobody can say with any certainty whether Russia (or anyone else) hacked systems before the 2016 election. We know this monitoring was not in place on any wide scale (in fact, I'm yet to talk to a single state elections representative who had industry standard monitoring in place). Read any story that says "no evidence of compromise" with a grain of salt. In any situation, you should be extremely skeptical of "no evidence of" claims, but here it is especially important since most county and state governments are very poorly monitored.
Read more in:
NBC News: U.S. intel: Russia compromised seven states prior to 2016 election
GovTech: Alaskan Election Officials Question Reports of Russian Breach
http://www.govtech.com/security/Alaskan-Election-Officials-Question-Reports-of-Russian-Breach.html
The Hill: DHS: 'No intelligence' Russia compromised seven states ahead of 2016 election
--
H-1B Visa Situation Discouraging Foreign Tech Specialists
(February 26, 2018)
The current US administration's changes to immigration policy are making the US a less appealing place for technology specialists from other countries. The requirements for H-1B visas, which allow skilled foreigners to work at companies in the US, have been made more difficult to meet and recently, third-party contract work rules were tightened, shortening the scope of the visas and making them more difficult to renew.
Read more in:
Quartz: Indian techies look to Canada as the American Dream turns into an H-1B nightmare
https://qz.com/1215625/the-h-1b-nightmare-has-turned-indian-techies-onto-the-canadian-dream/
INTERNET STORM CENTER TECH CORNER
Malspam Pushing Formbook Info Stealer
https://isc.sans.edu/forums/diary/Malspam+pushing+Formbook+info+stealer/23387/
Trustico TLS Certificate Revocation
https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/wxX4Yv0E3Mk/QZt8UPhKAwAJ
Trustico Update: Certificate Revocation List Monitor
https://isc.sans.edu/crls.html
Various SAML Parsers Affected by Comment Parsing Vulnerability
https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
Flash on Its Way Out
DNSSEC Is Getting Better But Still Struggling
Smart TV Firmware Flaws
https://www.av-comparatives.org/wp-content/uploads/2018/02/avc_sigma_medion_201802.pdf
Censoring Images At Scale in #WeChat
Microsoft Releases Intel Spectre Microcode Updates
https://support.microsoft.com/en-us/help/4090007/intel-microcode-updates
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create