SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #23
March 23, 2018****************************************************************************
SANS NewsBites March 23, 2018 Vol. 20, Num. 023
****************************************************************************
TOP OF THE NEWS
Military Draft for Cybersecurity Talent
GitHub Security Scan Found Vulnerabilities in JavaScript and Ruby Libraries
Orbitz Breach Affects 880,000 Payment Cards
REST OF THE WEEK'S NEWS
Apple Will Fix Siri Privacy Flaw
Drupal Will Release Updates to Fix Critical Security Flaw
Atlanta City Computers Hit with Cyberattack
NIST Draft Guidance for Creating Cyber Resiliency
AMD Will Issue Fixes for Chip Flaws
Microsoft Releases Patch for Remote Assistance Tool Flaw
FBI Raids Home of Intelligence Contractor Over Leaked Source Code
University Researchers Receive NSF Grant to Address GPS and and NTP Security
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk ***************************
Find Frauds Fingerprints in Machine Data. The pressure is placed on fraud teams to stay informed and ahead of attackers. Join this webinar to learn how to recognize examples of fraudulent activities in your environment and how to more quickly find anomalies of transactions or behaviors of accounts that are fraudulent, acting fraudulently or being taken over. http://www.sans.org/info/203035
*****************************************************************************
TRAINING UPDATE
-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018
-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018
-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018
-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018
-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 https://www.sans.org/event/automotive-cybersecurity-summit-2018
-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018
-- SANS Northern VA Reston Spring 2018 | May 2025 | https://www.sans.org/event/northern-va-reston-spring-2018
-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018
-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018
-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive training course by April 4. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--
Military Draft for Cybersecurity Talent
(March 21, 2018)
The US military is in need of people with strong cyber skills. The National Commission on Military, National, and Public Service is seeking public comment on the possibility of changing selective service rules to allow conscription of individuals with certain technical expertise regardless of their gender of their age. But drafting people with the needed skills away from the private sector could leave those companies without adequate protection. Instead, the cybersecurity workforce could grow through programs that identify people with a natural aptitude for the work and training them.
[Editor Comments]
[Henry] There most certainly needs to be a comprehensive plan to obtain more cybersecurity skills, both in the military and the private sector. That talent is best developed when the aptitude is identified and nurtured at an early age. A cross-government plan, including the Department of Education, DOD, and others, to assess future needs and how to fill them, is long overdue. I give them credit for being creative and considering conscription, but that will not fit the long-term requirements.
[Ullrich] Finding people with an aptitude for security and training them should be a priority for the private sector as well. Part of the skill shortage is that companies look for individuals who already have exactly the skills they need for a particular job. But these skills will be irrelevant in a couple years and companies without the ability and willingness to provide ongoing training to keep their security teams up to date will always suffer.
Read more in:
The Register: US mulls drafting gray-haired hackers during times of crisis
--
GitHub Security Scan Found Vulnerabilities in JavaScript and Ruby Libraries
(March 22, 2018)
Late last year, GitHub began scanning JavaScript and Ruby libraries for known security issues and informing project owners that they needed to use updated versions. GitHub says that the process revealed more than four million instances of security flaws and prompted project owners to take action. GitHub plans to scan Python dependencies later this year.
[Editor Comments]
[Ullrich] This is a great, helpful initiative by GitHub. With all the open source code GitHub manages, they are in a good position to make a real difference. Software dependencies have long been a weak point; I hope GitHub will be able to extend this to other languages soon.
Read more in:
ZDNet: GitHub: Our dependency scan has found four million security flaws in public repos
--
Orbitz Breach Affects 880,000 Payment Cards
(March 20 & 21, 2018)
Expedia subsidiary Orbitz has acknowledges that a data breach has compromised personal information associated with as many as 880,000 payment card accounts. The breach affected the company's consumer platform between January and June 2016, and its partner platform between January 2016 and December 2017.
Read more in:
Threatpost: Orbitz Warns 880,000 Payment Cards Suspected Stolen
https://threatpost.com/orbitz-warns-880000-payment-cards-suspected-stolen/130601/
SC Magazine: Orbitz hit with data breach, info on 880,000 payment cards at risk
Reuters: Expedia's Orbitz says 880,000 payment cards hit in breach
************************** SPONSORED LINKS ********************************
1) Register today for SANS Ask the Expert Webcast with AGARI. Registrants will receive a chance to win an Apple Watch http://www.sans.org/info/203040
2) Do you believe in SOCs? How critical is the SOC to your organization? Take the SANS SOC survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/203045
3) Take the SANS IIoT Survey by April 9 to enter to win a $400 Amazon gift card! http://www.sans.org/info/203050
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Apple Will Fix Siri Privacy Flaw
(March 22, 2018)
Apple will release a fix for an issue that allows the iPhone's Siri voice assistant to read aloud notifications from locked screens. Anyone with access to a locked iPhone can cause Siri to "speak" third party app messages, even if they are hidden. The issue does not affect iMessage or SMS texts. The problem affects iOS 11.2.6 and the beta version of 1OS 11.3. Until the fix is available, users can turn off screen notifications for sensitive apps or disable Siri when the device is locked.
Read more in:
Threatpost: Apple to Fix Glitch Allowing Siri to Read Hidden Messages Out Loud
https://threatpost.com/apple-to-fix-glitch-allowing-siri-to-read-hidden-messages-out-loud/130721/
--
Drupal Will Release Updates to Fix Critical Security Flaw
(March 22, 2018)
The Drupal Security Team has announced that it will release updates for Drupal 7 and 8 core on Wednesday, March 28 to address a highly critical security issue. There will be a security released for Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x. While Drupal 8.3.x and 8.4.x are no longer actively supported, there will be updates for these versions due to the severity of the issue.
Read more in:
Threatpost: Drupal Forewarns 'Highly Critical' Bug to be Patched Next Week
https://threatpost.com/drupal-forewarns-highly-critical-bug-to-be-patched-next-week/130733/
Drupal: Drupal 7 and 8 core highly critical release on March 28th, 2018 PSA-2018-001
https://www.drupal.org/psa-2018-001
--
Atlanta City Computers Hit with Cyberattack
(March 22, 2018)
Outages affecting government computer systems that belong to the city of Atlanta, Georgia may be due to a ransomware attack. An Atlanta city employee reportedly sent a local television station a screenshot of a ransomware message demanding payment to unlock the affected machines. The FBI has been called in.
Read more in:
Ars Technica: Atlanta city government systems down due to ransomware attack [Updated]
SC Magazine: Atlanta computer systems under siege in possible ransomware attack
CNET: Atlanta computer systems held hostage in ransomware attack
https://www.cnet.com/news/atlanta-computer-systems-held-hostage-in-ransomware-attack/
--
NIST Draft Guidance for Creating Cyber Resiliency
(March 21, 2018)
The US National Institute of Standards and Technology (NIST) has released a draft publication to help organizations address advanced persistent threats (APTs) by developing and maintaining resilient systems. NIST defines resilience "the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources regardless of the source." NIST is accepting public comment on "Systems Security Engineering: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems" through May 18, 2018.
[Editor Comments]
[Pescatore] While "resiliency" is a current buzzword, there is l good information in here and some templates. But the two volumes of 800-160 now weigh in at over 500 pages, which is into college textbook territory vs. being useful for operational advice.
Read more in:
GCN: NIST targets APTs with resilience strategies
https://gcn.com/articles/2018/03/21/nist-cyber-resilience-apt.aspx?admgarea=TC_SecCybersSec
CSRC: Cyber Resiliency Considerations for the Engineering of Trustworthy Secure Systems (PDF)
--
AMD Will Issue Fixes for Chip Flaws
(March 20 & 21, 2018)
Advanced Micro Devices (AMD) plans to release firmware updates to address security issues in its Ryzen and EPYC chips. The chips' flaws were disclosed by researchers last week before AMD had time to prepare fixes.
Read more in:
The Register: CTS who? AMD brushes off chipset security bugs with firmware patches
http://www.theregister.co.uk/2018/03/21/amd_brushes_off_chip_flaws/
SC Magazine: AMD addresses critical vulnerabilities with pending update, says flaws not as severe
ZDNet: AMD on chip flaws: 'Newly outed bugs are real but no big deal, and fixes are coming'
Threatpost: AMD Acknowledges Vulnerabilities, Will Roll Out Patches in Coming Weeks
--
Microsoft Releases Patch for Remote Assistance Tool Flaw
(March 20 & 21, 2018)
Microsoft has fixed a vulnerability in its Windows remote Assistance Tool that could be exploited to steal data from a targeted computer and upload them to a remote server. The flaw can only be exploited if the target uses the tool to contact the attacker. The patch was released in Microsoft's monthly security update on Tuesday, March 13.
[Editor Comments]
[Pescatore] There seems to be a resurgence of the telephone scam calls pretending to be Microsoft or Windows "support" calls, tricking users into allowing remote access. Worth a reminder to everyone - just because they might see a Remote Assistance tool update pushed to their home and work machines does *not* mean Microsoft or your IT team will be calling them to log on remotely.
Read more in:
SC Magazine: Microsoft remote assistance tool threat patched, danger remains
Bleeping Computer: Windows Remote Assistance Tool Can Be Used for Targeted Attacks
--
FBI Raids Home of Intelligence Contractor Over Leaked Source Code
(March 20, 2018)
US law enforcement agents have raided the home of a US intelligence contractor who is suspected of leaking classified information on Facebook. John Glenn Weed worked for the National Reconnaissance Office, which is responsible for the country's intelligence satellites. This is not the first time a search warrant has been executed on Weed's home; in a 2013 raid, federal agents found more than $300,000 USD of stolen hardware.
[Editor Comments]
[Henry] If the article is accurate, there appear to be a host of clear signs that Weed was a potential risk to national security. The insider threat is a serious one, and it requires thorough vetting of potential employees, as well as ongoing assessments/detections of anomalous and/or malicious behavior. That might include continuous monitoring of publicly available information, such as arrest records. The risk of a cleared employee or contractor as an insider is high, given their access to sensitive national security information, and security protocols become steeper in those circumstances.
[Pescatore] Seems to indicate serious personnel security problems if someone that was found trafficking in stolen hardware is working at an intelligence contractor with clearances just 5 years later.
Read more in:
The Register: FBI raids home of spy sat techie over leak of secret comms source code on Facebook
http://www.theregister.co.uk/2018/03/20/fbi_nro_contractor_raided/
--
University Researchers Receive NSF Grant to Address GPS and and NTP Security
(March 20, 2018)
Clemson University researchers have received a $1 million USD National Science Foundation (NSF) grant to develop methods to prevent GPS spoofing and defend against Network Time Protocol (NTP) attacks. GPS spoofing could be used to provide vessels with incorrect location data, possibly causing damage. NTP attacks could be used to change the time on devices and access encrypted information.
Read more in:
GCN: Patching security holes in GPS, computer timing
https://gcn.com/articles/2018/03/20/gps-spoofing-defense.aspx?admgarea=TC_SecCybersSec
--
NSA Tracking Bitcoin Users
(March 20, 2018)
According to documents leaked by Edward Snowden, the National Security Agency (NSA) has been tracking Bitcoin users since 2013. The NSA collected information from Bitcoin users' computers, including MAC addresses, passwords, and Internet activity.
Read more in:
The Intercept: The NSA Worked to "Track Down" Bitcoin Users, Snowden Documents Reveal
Cyberscoop: NSA has been tracking bitcoin users since 2013
https://www.cyberscoop.com/nsa-bitcoin-oakstar-monkey-rocket/?category_news=technology
INTERNET STORM CENTER TECH CORNER
Admin Password Bad Practices
https://isc.sans.edu/forums/diary/Administrators+Password+Bad+Practice/23465/
WebKit Protecting Against HSTS Abuse
https://webkit.org/blog/8146/protecting-against-hsts-abuse/
Coverity Code Scanner Compromise
Bypassing Payment Confirmations via Webhooks
https://lightningsecurity.io/blog/bypassing-payments-using-webhooks/
Surge in Blackmail E-Mails
https://isc.sans.edu/forums/diary/Surge+in+blackmailing/23469/
AMD Announces Plan to Patch "AMDFlaws"
Github Projects Infected With Cryptocoin Miners
https://blog.avast.com/greedy-cybercriminals-host-malware-on-github
GitHub Dependency Scan
MacOS Logs APFS Encrypted External Volumes Passwords
Automatic Hunting for Malicious Files Crossing Your Network
https://isc.sans.edu/forums/diary/Automatic+Hunting+for+Malicious+Files+Crossing+your+Network/23473/
Visual Studio Code Remote Code Exec Vulnerability Fixed
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create