Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #2

January 9, 2018

Very cool program to motivate and educate high school girls in cybersecurity!

The governors of 15 states will announce, within a few days, that high school girls in their states will be eligible to play CyberStart to discover how interesting cybersecurity can be and to learn whether they have the aptitude and approach to problem-solving needed to excel in the field. All high school girls will be invited to play; all they need is an internet-connected computer to play. Participating governors and their states include (east to west): Maine, Vermont, Connecticut, New York, New Jersey, Delaware, Maryland, North Carolina, West Virginia, Mississippi, Texas, Colorado, Wyoming, Nevada, Hawaii (and American Samoa).

More information: GirlsGoCyberStart.Com  


****************************************************************************

SANS NewsBites               January 9, 2018                Vol. 20, Num. 002

****************************************************************************

TOP OF THE NEWS

Meltdown and Spectre Updates Causing Problems for Some Users

Apple Releases Updates for Spectre Flaw

Antivirus as a Spy Tool

REST OF THE WEEK'S NEWS

Wi-Fi Alliance Announces WPA3

ACLU Says New Customs and Border Patrol Directive Doesn't Go Far Enough

Western Digital Releases Update for NAS Devices

Botnet Defense Through Federal Procurement and Acquisition

Google Pulls Apps Containing LightsOut Malvertising Component

Sheltered Harbor Financial Account Project May Be Expanded to Cover Retirement Accounts

EAC to Host Summit on Election Security

INTERNET STORM CENTER TECH CORNER


***************************  Sponsored By Carbon Black  *********************


Join our webinar, "A New Year, a New SOC: How to Future-Proof Your SOC", on January 18th and you'll be able to keep your New Year's resolution to harden your defenses. You'll learn how the combination of Carbon Black and Demisto will fundamentally transform your security team into a high-speed SOC ready for whatever 2018 brings.

 http://www.sans.org/info/201005

 

*****************************************************************************

TRAINING UPDATE


-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018


-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018


-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018


-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018


-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018


-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018


-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018


-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018


-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018


-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get a 10.5" iPad Pro or an HP ProBook 450 G4, or take $400 Off with OnDemand and vLive Training when you register by January 10. https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcast - https://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all


*****************************************************************************

TOP OF THE NEWS

 --

Meltdown and Spectre Updates Causing Problems for Some Users

(January 8, 2018)

Microsoft's update to address the Meltdown and Spectre security issues has been causing its own set of problems. The update changes the way data are processed at the kernel level, which has caused problems with some anti-virus products. Users have also reported that their Windows machines have failed to reboot after the patch is installed; others have reported that the update causes problems with the PulseSecure VPN client and with Sophos's Sandboxie isolation program.  


Read more in:

The Register: It gets worse: Microsoft's Spectre-fixer bricks some AMD PCs

http://www.theregister.co.uk/2018/01/08/microsofts_spectre_fixer_bricks_some_amd_powered_pcs/

Cyberscoop: Microsoft's chip patch is messing with anti-virus products

https://www.cyberscoop.com/spectre-meltdown-microsoft-anti-virus-bsod/?category_news=technology

The Register: Microsoft patches Windows to cool off Intel's Meltdown - wait, antivirus? Slow your roll

http://www.theregister.co.uk/2018/01/08/meltdown_fix_security_problems/

ZDNet: Windows Meltdown-Spectre update: Some AMD PC owners post crash reports

http://www.zdnet.com/article/windows-meltdown-spectre-update-now-some-amd-pc-owners-post-crash-reports/

 

 --

Apple Releases Updates for Spectre Flaw

(January 8, 2018)

Apple has issued updates for macOS, iOS and Safari to address two processor vulnerabilities that are collectively known as Spectre. Users are urged to ensure they are running macOS 10.13.2 (including the supplemental update), iOS 11.2.2, and Safari 11.0.2. Apple updates to macOS, iOS, and tvOS in December 2017 addressed the Meltdown vulnerability.


[Editor Comments]

[Neely] The data on fixing these security issues is changing daily. Don't panic, follow your proven metholodogy - research, review and test, and roll the fixes out with your regular patching cycle. For example, some missed that Apple put meltdown fixes in 10.11.6 & 10.12.6


Read more in:

Bleeping Computer: Apple Releases Security Updates for Spectre CPU Flaw

https://www.bleepingcomputer.com/news/apple/apple-releases-security-updates-for-spectre-cpu-flaw/


 --

Antivirus as a Spy Tool

(January 1, 2018)

Because security software necessarily has privileged access to computer systems, it also has the potential to be misused as a spy tool. The issue made headlines when it came to light that Kaspersky antivirus had been used to steal classified data from an NSA employee.


[Editor Comments]

[Williams] When you install antivirus software, you place absolute trust in that software.  Select an antivirus vendor the way you would an operating system vendor. If you wouldn't trust an AV vendor to write your operating system, you shouldn't use their antivirus software either.


[Pescatore] AV software started out as a file system shim, but as the AV vendors started acquiring personal firewall and other desktop security software, the bloated End Point Protection platforms essentially became rootkits, albeit ineffective and easy to detect ones that were installed by sys admins rather than attackers. By enforcing Group Policy Objects for privilege management and application control on desktops, and using modern browser protections, the more simple file system shims can do what AV is actually good at (which is mostly removed malware after it gets on) while more appropriate security controls handle higher level threats.


Read more in:

NYT: How Antivirus Software Can Be Turned Into a Tool for Spying

https://www.nytimes.com/2018/01/01/technology/kaspersky-lab-antivirus.html


**************************  SPONSORED LINKS  ********************************


1) It's time to make sure that DNS is part of your security posture.  Register to Learn more:  http://www.sans.org/info/201010


2) "In a Perfect World...Building the Network Security Architecture for the Future"  Register: http://www.sans.org/info/201015


3) Don't Miss:  "Are You in Control? Managing the CIS Critical Security Controls within your Enterprise" http://www.sans.org/info/201020


*****************************************************************************

THE REST OF THE WEEK'S NEWS    

 --

Wi-Fi Alliance Announces WPA3

(January 8, 2018)                               

The Wi-Fi Alliance has announced that the WPA3 Wi-Fi authentication standard will roll out later this year. WPA3 will replace WPA2, which was recently found to have a major vulnerability dubbed KRACK. WPA3 offers protection against brute force attacks and individualized data encryption to improve security on open Wi-Fi networks. WPA2 has been in use since 2004.


[Editor Comments]

[Pescatore] Still important to patch existing WiFi devices.  When WPA2 came out, it took about 18 months from the start of testing to when all shipping devices implemented WPA2 and interoperated. Realistically, most companies will not be moving to WPA3 capabilities until 2019 but it would be good to see those operating public WiFi hotspots lead the way to drive progress sooner than that.


Read more in:

ZDNet: With WPA3, Wi-Fi security is about to get a lot tougher

http://www.zdnet.com/article/wpa3-wireless-standard-tougher-wifi-security-revealed/

Bleeping Computer: WPA3 WiFi Standard Announced After Researchers KRACKed WPA2 Three Months Ago

https://www.bleepingcomputer.com/news/hardware/wpa3-wifi-standard-announced-after-researchers-kracked-wpa2-three-months-ago/

Wi-Fi Alliance: Wi-Fi Alliance(r) introduces security enhancements

https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements

 

 --

ACLU Says New Customs and Border Patrol Directive Doesn't Go Far Enough

(January 8, 2018)

The US Customs and Border Patrol (CBP) released new guidelines for the search and seizure of electronic devices belonging to travelers leaving and entering the US. The American Civil Liberties Union (ACLU) has issued a statement regarding the CBP's new directive, saying that it does not go far enough to protect travelers' constitutional rights. According to the ACLU, while the new "policy would at least require officers to have some level of suspicion before copying and using electronic methods to search to search a traveler's electronic device... [it] still falls far short of... a search warrant based on probable cause."


Read more in:

Threatpost: New Rules Announced for Border Inspection of Electronic Devices

https://threatpost.com/new-rules-announced-for-border-inspection-of-electronic-devices/129361/

SC Magazine: CBP directive would allow warrantless search, seizure of electronic devices at border

https://www.scmagazine.com/cbp-directive-would-allow-warrantless-search-seizure-of-electronic-devices-at-border/article/735390/

Nextgov: Border Agents Are Searching Through More Traveler's Devices Than Ever

http://www.nextgov.com/cybersecurity/2018/01/border-agents-are-searching-through-more-travelers-devices-ever/145048/

CBP: CBP Directive No. 3340-049A: Border Search of Electronic Devices

https://www.cbp.gov/sites/default/files/assets/documents/2018-Jan/cbp-directive-3340-049a-border-search-electronic-media.pdf

 

 --

Western Digital Releases Update for NAS Devices

(January 8, 2018)

Western Digital has released a firmware update to address a hardcoded backdoor in its MyCloud NAS devices. The update also addresses an unrestricted file upload vulnerability and a cross-site request forgery issue. Western Digital was alerted to the flaws in June 2017.


[Editor Comments]

[Williams] There shouldn't be a backdoor in a product like this and if one is found, it shouldn't take months to remove the backdoor.  Pay attention to vendor responses when evaluating your product decisions. Taking months to respond to this egregious vulnerability does not inspire confidence in WD's software engineering and security practices.  The hardcoded system level password (that can't be changed by users) was "abc12345cba" - if you're going to code a backdoor password, at least make it a good password.


Read more in:

Bleeping Computer: Backdoor Account Removed from Western Digital NAS Hard Drives

https://www.bleepingcomputer.com/news/security/backdoor-account-removed-from-western-digital-nas-hard-drives/

eWeek: WD Patches Backdoor Security Flaw in My Cloud NAS Devices

http://www.eweek.com/security/wd-patches-backdoor-security-flaw-in-my-cloud-nas-devices

Cyberscoop: Western Digital removes hard-coded backdoor from personal cloud drives

https://www.cyberscoop.com/western-digital-backdoor-removed/

V3: Western Digital's fog of MyCloud security vulnerabilities increases with new disclosures

https://www.v3.co.uk/v3-uk/news/3024009/western-digitals-fog-of-mycloud-security-vulnerabilities-increases-with-new-disclosures

GulfTech: WDMyCloud Multiple Vulnerabilities

http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125

 

 --

Botnet Defense Through Federal Procurement and Acquisition

(January 5, 2018)

According to a report from the US Departments of Commerce and Homeland Security, the federal government could help protect its networks from botnets and other automated threats through procurement guidelines and acquisition rules. The report calls on the government to change its acquisition rules and procurement guidelines to encourage the private sector to develop products that comply with government security requirements. The report describes five goals for the federal government to achieve to better protect network security" boosting education and awareness, creating a more agile and secure technology marketplace, promoting innovation in infrastructure and for edge network protections, and building global coalitions across tech communities to include security, operations and infrastructure." Comments on the draft report will be accepted through February 12, 2018.


[Editor Comments]

[Pescatore] When the DHS was formed in 2002 I wrote a Gartner Research Note that urged DHS to implement a key part of PDD-63 from 1998 that the Federal government act as a "model to the rest of the country for how infrastructure protection is to be attained" Two key recommendations were that the government lead by example in requiring all public facing government web sites to use Denial of Service protection and all government sys admin access use strong authentication in order to drive the commercial market in those directions. This new report weighs in at 39 pages and only a single paragraph mentions the US government taking action to widely implement ingress filtering and DDoS protection - and even there recommends waiting for government developed Cybersecurity Profiles.  This is classic choose kicking the can up the road vs. bending over to pick up the can.


Read more in:

FCW: Can federal purchasing power counteract botnets?

https://fcw.com/articles/2018/01/05/commerce-dhs-botnets.aspx

NTIA: Report: Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats (PDF)

https://www.ntia.doc.gov/files/ntia/publications/eo_13800_botnet_report_for_public_comment.pdf

CSRC NIST: A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats

https://csrc.nist.gov/publications/detail/white-paper/2018/01/05/enhancing-resilience-against-botnets--report-to-the-president/draft

 

 --

Google Pulls Apps Containing LightsOut Malvertising Component

(January 5, 2018)

Google has pulled 22 flashlight and other utility apps from the Google Play store because they were found to contain a malicious advertising component known as LightsOut. The malware displays advertisements that users must click before continuing to use their devices. In all, the affected apps have been downloaded at least 1.5 million times.  


Read more in:

Threatpost: Google Play Removes 22 Malicious 'Lightsout' Apps from Marketplace

https://threatpost.com/google-play-removes-22-malicious-lightsout-apps-from-marketplace/129328/

ZDNet: Android security: Flashlight apps on Google Play infested with adware were downloaded by 1.5m people

http://www.zdnet.com/article/android-security-flashlight-apps-on-google-play-infested-with-adware-were-downloaded-by-1-5m-people/

 

 --

Sheltered Harbor Financial Account Project May Be Expanded to Cover Retirement Accounts

(January 4, 2018)

Financial companies in the US plan to expand a project that currently protects bank accounts from cyber attacks to cover investment funds. Sheltered Harbor already backs up savings and checking account data, and is starting to include some brokerage accounts. Eventually, the financial industry plans to include 401(k) accounts and pension funds. Sheltered Harbor operates through a buddy system in which partners agree to allow each other to use their networks in the event of an emergency.   


Read more in:

Bloomberg: Your 401(k) Deleted: How Wall Street Hopes to Thwart Hackers

https://www.bloomberg.com/news/articles/2018-01-04/wall-street-aims-to-thwart-a-hacking-nightmare-for-your-401-k

 

 --

EAC to Host Summit on Election Security

(January 3, 2018)

On January 10, 2018, the US Election Assistance Commission (EAC) will host a summit on security and other issues pertinent to the 2018 midterm federal elections. Panel topics include Election Efficiency and Integrity, Election Security, and Election Accessibility. The summit is open to the public.


Read more in:

The Hill: Election Assistance Commission to host summit on election security

http://thehill.com/policy/cybersecurity/367304-election-assistance-commission-to-host-summit-on-election-security

EAC: U.S. Election Assistance Commission to Host Summit Ahead of 2018 Election

https://www.eac.gov/news/2018/01/03/us-election-assistance-commission-to-host-summit-ahead-of-2018-election/

 

INTERNET STORM CENTER TECH CORNER


Misc News about Meltdown and Spectre

https://www.qualcomm.com/company/product-security/bulletins


AMD Processor Flaw

http://seclists.org/fulldisclosure/2018/Jan/12


Western Digital MyCloud Backdoor

http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125        


Fake Anti-Virus Pages Popping Up Like Weeds

https://isc.sans.edu/forums/diary/Fake+antivirus+pages+popping+up+like+weeds/23207/


Apple Spectre/Meltdown Patches

https://support.apple.com/en-us/HT201222


Meltdown Patch Fallout

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB43600/?l=en_US&fs=Search&pn=1&atype=

https://forums.sandboxie.com/phpBB3/viewtopic.php?t=25114

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software


WPA3 Announced

https://www.wi-fi.org/news-events/newsroom/wi-fi-alliance-introduces-security-enhancements

        

WebLogic Flaw Used to Install Monero Crypto Coin Miner

https://isc.sans.edu/forums/diary/Campaign+is+using+a+recently+released+WebLogic+exploit+to+deploy+a+Monero+miner/23191/


******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create