SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #19
March 9, 2018A smile: If you have daughters or nieces and think they might enjoy exploring a career in cybersecurity, here are two short TV news piece on what a good idea that is:
Washington DC: http://wjla.com/features/inspire/inspire-local-maryland-all-girls-team-wins-national-cybersecurity-challenge
Las Vegas NV:
Alan
****************************************************************************
SANS NewsBites March 9, 2018 Vol. 20, Num. 019
****************************************************************************
TOP OF THE NEWS
Government Agencies Should Look to Retrain Their Own Employees for Cybersecurity Positions
OIG Audit: DHS Needs to Improve Network Protection
UK Government IoT Security Guidelines
REST OF THE WEEK'S NEWS
Windows Defender Blocks Cryptocurrency Miner Installation Attempt
Cisco Releases Fixes for Two Critical Flaws and Other Security Issues
FOIA Request Reveals Geek Squad Informs FBI About Child Pornography Found on Computers
Legislators Press Voting Machine Companies on Security
FinTech Cybersecurity Consortium
Commissioning Rules Hinder US Military Efforts to Hire Cyber Experts from the Private Sector
ComboJack Malware Redirects Cryptocurrency Transactions
City Considering Cryptomining Moratorium
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Cylance **************************
Get the free Cylance ebookIntroduction to Artificial Intelligence for Security Professionals. Learn about AI and machine learning techniques and methods in practical situations that have proven most successful in predicting and preventing cyberattacks.
http://www.sans.org/info/202550
*****************************************************************************
TRAINING UPDATE
-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018
-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018
-- SANS Northern VA SpringTysons 2018 | March 17-24 | https://www.sans.org/event/northern-va-spring-tysons-2018
-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018
-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018
-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018
-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018
-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018
-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018
-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018
-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad mini, ASUS Chromebook or take $250 Off your OnDemand or vLive training course by March 21. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
Government Agencies Should Look to Retrain Their Own Employees for Cybersecurity Positions
(March 8, 2018)
Speaking at the Association for Federal Information Resources Management's Cybersecurity Summit, National Security Council director of cybersecurity policy Tyson Meadors said that the national cybersecurity labor shortage could be addressed in part by agencies retraining some of their own employees. Meadors also noted that a broader education than just computer science benefits those looking to build a career in cybersecurity. "That 285,000 number of open jobs in the United States is not going to be filled by computer science undergraduates," he said. "It's going to have to be filed by a combination of things: apprenticeships, community college graduates, people who can be hired simply because they have some kind of individual aptitude/talent so that we can identify through nontraditional sources."
Read more in:
Fedscoop: Retrained agency employees can be a key source of cybersecurity talent, NSC official says
https://www.fedscoop.com/agencies-can-retrain-employees-get-cyber-talent/
Nextgov: It Takes More Than Tech Skills To Be a Strong Cyber Leader
--
OIG Audit: DHS Needs to Improve Network Protection
(March 8, 2018)
A report from the Department of Homeland Security (DHS) Office of Inspector General (OIG) found that the agency is not adequately protecting its networks. Among the issues the audit found were use of unsupported operating systems (Windows Server 2003); workstations missing patches, including fixes for WannaCry, Flash, Shockwave, and Acrobat; and not consistently disabling anonymous access to shared network drives; and not consistently enabling registry auditing. The report notes that the chief reason that DHS had not met its security goals was lack of security talent.
[Editor Comments]
[Pescatore] The good news is that overall DHS's security posture improved. The bad news is that most of that improvement came from one component, the US Secret Service (my alma mater!) Overall, 5 of the 10 DHS components improved while 5 got worse or stayed the same. One common thread was that DHS does not seem to have made much progress in implementing Continuous Diagnosis and Mitigation (CDM) controls, which of course is a DHS-managed program.
Read more in:
The Register: Audit finds Department of Homeland Security's security is insecure
OIG DHS: Evaluation of DHS' Information Security Program for FY 2017
https://www.oig.dhs.gov/sites/default/files/assets/2018-03/OIG-18-56-Mar18.pdf
--
UK Government IoT Security Guidelines
(March 7, 2018)
The UK government's Secure by Design review includes a proposed code of practice for Internet of Things (IoT) manufacturers, IoT service providers, mobile application developers, and retailers that includes not allowing universal default passwords, securely storing sensitive data, making it easy for consumers to configure the devices, updating software, and implementing a vulnerability disclosure policy.
[Editor Comments]
[Ullrich] Good guidelines, and not just for the IoT. See how Cisco just patched a "default credential" vulnerability this week.
Read more in:
Gov.uk: Secure by Design: Improving the cyber security of consumer Internet of Things Report
Gov.uk: New measures to boost cyber security in millions of internet-connected devices
ZDNet: New IoT security rules: Stop using default passwords and allow software updates
V3: Government to demand 'security by design' in new measures to tackle IoT security
************************** SPONSORED LINKS ********************************
1) "VMRay Analyzer, agentless malware analysis and rapid incident response: A SANS Product Review" with Matt Bromiley and Chad Loeven. Register: http://www.sans.org/info/202555
2) Don't Miss: "Dramatically Reduce Incident Response Time with Splunk and Bro" Register: http://www.sans.org/info/202560
3) Do you believe in SOCs? How critical is the SOC to your organization? Take the SANS SOC survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/202565
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Windows Defender Blocks Cryptocurrency Miner Installation Attempt
(March 8, 2018)
Earlier this week, Microsoft's Windows Defender detected and stopped an attempt to infect 400,000 computers with a cryptocurrency miner. Windows Defender detected a malware downloaded known as Smoke Loader or Dofoil, which was attempting to drop an Electroneum cryptocurrency miner.
[Editor Comments]
[Ullrich] Crypto currency miners are by far the most popular payloads deployed by attackers these days. Many even skip data exfiltration and deploy only crypto currency miners. It is great that Microsoft starts to look for them. These miners usually do not try to hide and are not hard to find, but you have to look for them. For your non-Windows systems make sure that you have rules in place to detect them.
Read more in:
ZDNet: Windows security: Microsoft fights massive cryptocoin miner malware outbreak
Bleeping Computer: Microsoft Stops Malware Campaign That Tried to Infect 400,000 Users in 12 Hours
--
Cisco Releases Fixes for Two Critical Flaws and Other Security Issues
(March 8, 2018)
Cisco has released 22 security advisories to address issues in a variety of products. Two of the flaws are rated critical. The first is a hardcoded password in Cisco Prime Collaboration Provisioning (PCP) that a local attacker could use to attain root privileges. The issue affects only PCP 11.6, which was released in November 2016. The second is a Java deserialization issue in Cisco Secure Access Control System (ACS) that could be exploited remotely to execute arbitrary commands.
[Editor Comments]
[Murray] Infrastructure providers should have controls in place to effectively resist "hardcoded passwords." Relying on good intentions is not working.
Read more in:
Bleeping Computer: Hardcoded Password Found in Cisco Software
https://www.bleepingcomputer.com/news/security/hardcoded-password-found-in-cisco-software/
ZDNet: Cisco: Update now to fix critical hardcoded password bug, remote code execution flaw
The Register: Sigh. Cisco security kit has Java deserialisation bug and a default password SNAFU
http://www.theregister.co.uk/2018/03/08/cisco_security_patches/
Cisco: Cisco Secure Access Control System Java Deserialization Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-acs2
Cisco: Cisco Prime Collaboration Provisioning Hard-Coded Password Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180307-cpcp
--
Google Releases Chrome 65
(March 7, 2018)
Google has released Chrome 65 to the stable channel. In addition to fixes for 45 security issues, Chrome 65 takes additional steps to prevent users from being redirected to pages they do not want to visit. Chrome 65 also enables Transport Layer Security (TLS) version 1.3 by default.
Read more in:
ZDNet: Chrome 65 rolls out: You're getting a stronger redirect blocker, 45 security fixes
Bleeping Computer: Google Chrome 65 Released with Tab-Under Blocking, New APIs, 45 Security Fixes
Chrome: Chrome Releases: Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html
--
FOIA Request Reveals Geek Squad Informs FBI About Child Pornography Found on Computers
(March 7, 2018)
According to documents obtained by the Electronic Frontier Foundation (EEF) through the Freedom of Information Act (FOIA), electronics chain store Best Buy's Geek Squad has been alerting the FBI when it finds child pornography on devices brought in for repairs. Best Buy maintains that it has a "moral, and, in more than 20 states, a legal obligation to report these findings to law enforcement. We share this policy with our customers in writing before we begin any repair."
[Editor Comments]
[Honan] This issue affects many security professionals and DFIR specialists. In some jurisdictions you are legally obliged to report Child Abuse Material to the authorities. In others, while there may not be a mandatory requirement to report this material, you may feel you have an ethical and moral obligation to do so. Before engaging with a new investigation or project you should clearly state to your client, including your own internal clients if you work within an organisation, what your policy is should you discover this type of material.
Read more in:
EFF: Geek Squad's Relationship with FBI Is Cozier Than We Thought
https://www.eff.org/deeplinks/2018/03/geek-squads-relationship-fbi-cozier-we-thought
ZDNet: New documents reveal FBI paid Geek Squad repair staff as informants
http://www.zdnet.com/article/new-documents-reveal-fbi-paid-geek-squad-repair-staff-as-informants/
Ars Technica: Best Buy defends practice of informing FBI about child porn it finds
SC Magazine: FBI used Best Buy's Geek Squad as confidential informants, FOIA docs show
--
Fix Available for Exim Flaw
(March 6 & 7, 2018)
A security flaw in the Exim mail transfer agent (MTA) could be exploited to remotely execute code. The vulnerability exists in all versions of Exim except 4.90.1, which was released in early February. Hundreds of thousands of email servers are affected. A fix has been released, but patching is likely to take weeks.
Read more in:
ZDNet: Open-source Exim remote attack bug: 400,000 servers still vulnerable, patch now
Ars Technica: 400k servers may be at risk of serious code-execution attacks. Patch now
Bleeping Computer: Vulnerability Affects Half of the Internet's Email Servers
--
Legislators Press Voting Machine Companies on Security
(March 6 & 7, 2018)
US legislators are questioning voting machine manufacturers about the security of their products. Senator Ron Wyden (D-Oregon) sent a letter to Elections Systems & Software (ESS) asking if the company has sold machines with pre-installed remote access software, and if ESS officials or technical support staff have ever recommended that their customers install such software. ESS has issued a statement saying that it "does not sell or distribute products with remote access software installed." In a separate story, Senators Amy Klobuchar (D-Minnesota and Jeanne Shaheen (D-New Hampshire) have sent a letter to ESS, Dominion Voting Systems, and Hart Intercivic asking if they have shared their source code or other sensitive information with any Russian entity.
[Editor Comments]
[Pescatore] This is another area where DHS has moved very slooowly. In January 2017, DHS declared election systems were part of the Critical Infrastructure, but it wasn't until October 2017 that they convened the first meeting of the Sector Coordinating Council. Since then there has been near zero externally visible signs of any actual progress towards increasing the security of election processes and systems before the November 2018 elections.
Read more in:
Ars Technica: US senator grills CEO over the myth of the hacker-proof voting machine
The Hill: Wyden presses leading US voting machine manufacturer on potential hacking vulnerabilities
The Hill: Dem senators ask voting machine vendors if they shared code with Russian entities
Reuters: Senators ask vote machine vendors about Russian access to source code
--
FinTech Cybersecurity Consortium
(March 6, 2018)
The World Economic Forum will lead a consortium of financial institutions that will develop cybersecurity standards for financial technology (FinTech) firms. Banks and other financial institutions have been increasing relationships with FinTech companies to help keep their financial services in step with digital developments. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Honan] Oh great, just what we need: yet another cybersecurity standard!! We should concentrate on the standards we already have and where necessary improve them rather than develop more standards.
Read more in:
Reuters: World Economic Forum leads creation of fintech cyber security consortium
WSJ: Citigroup, Kabbage Form Consortium on Fintech Cybersecurity
https://www.wsj.com/articles/citigroup-kabbage-form-consortium-on-fintech-cybersecurity-1520334000
--
Commissioning Rules Hinder US Military Efforts to Hire Cyber Experts from the Private Sector
(March 6, 2018)
Lt. General Paul Nakasone, commander of Army Cyber Command, told legislators that military programs established to hire cyber experts from the private sector are finding their efforts stymied by the military's inability to commission the new hires at ranks that reflect their experience. Because the people with these skills are in such high demand, private sector salaries are many times greater than the initial pay they would be offered in the military.
Read more in:
FNR: Military seeks seasoned industry professionals as next cyber warriors, but they'll have to start at the bottom
--
ComboJack Malware Redirects Cryptocurrency Transactions
(March 6, 2018)
ComboJack malware steals several different cryptocurrencies by replacing a transaction's destination wallet address with one controlled by the attackers. ComboJack changes the address when users have copied it to the infected device's clipboard. The malware initially spreads through a phishing email that tries to get recipients to allow an embedded file to run; it also exploits a known Windows vulnerability that was patched in September 2017.
Read more in:
SC Magazine: ComboJack malware steals digital payments, cryptocurrency, by modifying info saved to clipboards
ZDNet: ComboJack malware tries to steal your cryptocurrency by changing the data in your clipboard
--
City Considering Cryptomining Moratorium
(March 5 & 6, 2018)
The city of Plattsburgh, New York is considering a moratorium on new cryptomining operations because of concerns about excessive power consumption. Plattsburgh is home to two legitimate cryptomining operations. While power consumption has not yet been excessive, nearby Massena, NY, is home to a much larger cryptomining operation and there are concerns that even more companies could open shop there. Plattsburgh plans to hold a public hearing on March 15.
[Editor Comments]
[Murray] Like Iceland, northern New York is attractive to crypto miners because of an abundance of low cost electric energy. Plattsburgh would prefer enterprises that employee people.
Read more in:
WCAX: Plattsburgh considers ban on bitcoin mining
http://www.wcax.com/content/news/Plattsburgh-considers-ban-on-bitcoin-mining-475877703.html
CoinDesk: US City Mulls 18-Month Moratorium on Bitcoin Mining
https://www.coindesk.com/us-city-mulls-18-month-moratorium-bitcoin-mining/
SC Magazine: Legal cryptocurrency mining operation's power draw creates concern
INTERNET STORM CENTER TECH CORNER
Exploit for CVE-2018-6789
https://devco.re/blog/2018/03/06/exim-off-by-one-RCE-exploiting-CVE-2018-6789-en/
Hundreds of Bitcoin Mining Servers Stolen in Iceland
https://www.theguardian.com/world/2018/mar/07/hundreds-of-bitcoin-mining-servers-stolen-in-iceland
Several Android Mail Apps Send Password To Developer (article in German)
https://www.kuketz-blog.de/mail-apps-zahlreiche-android-apps-uebermitteln-login-passwort/
Apache Solr Vulnerability used to Install Cryptocoin Miner
https://isc.sans.edu/forums/diary/Apache+SOLR+the+new+target+for+cryptominers/23425/
Microsoft Fixes USB Issues Introduced By February Patches
https://support.microsoft.com/en-us/help/4090913/march5-2018kb4090913osbuild16299-251
123 Reg Loses Backups
Android March Security Bulletin
https://source.android.com/security/bulletin/2018-03-01#media-framework
Ransomware News: GlobeImposter Gets A Facelift, GandCrab is Still Out there
How to Break Encryption
https://blog.malwarebytes.com/threat-analysis/2018/03/encryption-101-how-to-break-encryption/
Bypassing Adobe Flash Security Protections
https://securingtomorrow.mcafee.com/mcafee-labs/hackers-bypassed-adobe-flash-protection-mechanism/
CRIMEB4NK IRC Bot
https://isc.sans.edu/forums/diary/CRIMEB4NK+IRC+Bot/23423/
Cisco Patches
https://tools.cisco.com/security/center/publicationListing.x
Any.Run Malware Analysis Tool
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
