SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #24
March 27, 2018****************************************************************************
SANS NewsBites March 27, 2018 Vol. 20, Num. 024
****************************************************************************
TOP OF THE NEWS
US DOJ Announces Sanctions and Indictments Against Iranian Hacker Network
Cybersecurity Components of the US House Spending Bill
REST OF THE WEEK'S NEWS
US Dept. of Education RFI on Cybersecurity Workforce Development
Alleged Carbanak Mastermind Arrested in Spain
Chrome Extension Warns of URLs with Non-Standard Unicode Characters
GoScanSSH Malware Targets Linux Systems
UK Anti-Doping Agency Cyberattack
Cybersecurity Needs to Adapt to Attract and Retain Women in the Field
Internet Engineering Task Force Approves TLS 1.3 Protocol
Microsoft Windows Server Won't Authenticate Unpatched RDP Clients
R2D2 System Prevents Data Loss from Disk Wipers
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Risk Lens ************************
Cyber Risk is a Top 3 Business Risk. The SEC issued new guidance on cyber risk reporting and it is game changing. Cyber risk needs to be reported in business terms - based on financial impact. It might sound impossible but not with FAIR and the RiskLens platform. Download this free e-book today to learn more! http://www.sans.org/info/203155 http://www.sans.org/info/203160
*****************************************************************************
TRAINING UPDATE
-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018
-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018
-- SANS at RSA(R) Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018
-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018
-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018
-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018
-- SANS Northern VA Reston Spring 2018 | May 20-25 | https://www.sans.org/event/northern-va-reston-spring-2018
-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018
-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018
-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive training course by April 4. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap https://www.sans.org/courses https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--
US DOJ Announces Sanctions and Indictments Against Iranian Hacker Network
(March 23, 2018)
The US Department of Justice (DOJ) has announced sanctions and criminal indictments against nine Iranians suspected of stealing data from government agencies, private companies, and universities. The purloined data include science and engineering research, trade secrets, and sensitive government information, and was allegedly sold or used by Iran's government. The individuals charged in the indictment are affiliated with the Mabna Institute, an organization created specifically to obtain non-Iranian scientific information through computer intrusions.
Read more in:
FBI: State-Sponsored Cyber Theft
https://www.fbi.gov/news/stories/nine-iranians-charged-in-hacking-scheme-032318
WashPost: Trump administration hits Iranian hacker network with sanctions, indictments in vast global campaign
SC Magazine: Nine Iranians indicted over alleged state-sponsored hacking of universities, companies and governments
Ars Technica: Nine Iranians indicted by US for hacking to steal research data
Threatpost: FBI: Iranian Firm Stole Data in Massive Spear Phishing Campaign
https://threatpost.com/fbi-iranian-firm-stole-data-in-massive-spear-phishing-campaign/130776/
Nextgov: The Big Message in the Iranian Cyber Indictments: Deterrence
--
Cybersecurity Components of the US House Spending Bill
(March 22, 2018)
The spending bill passed by the US House of Representatives last week includes $380 million USD for election security, with priority placed on replacing outdated machines, ensuring paper trails, and implementing post-election audits. The bill also includes legislation that clarifies the process for US law enforcement seeking warrants for data stored by US companies in servers in other countries, and a provision that requires several agencies to adopt supply chain reviews for technology purchases.
Read more in:
Nextgov: Spending Bill Boosts Election Security, Clarifies Overseas Data Warrants
************************** SPONSORED LINKS ********************************
1) Discover how VMware and Carbon Black support security and IT alignment in the virtualized data center. Register now! http://www.sans.org/info/203165
2) Get the free Cylance ebook - "Introduction to Artificial Intelligence for Security Professionals." http://www.sans.org/info/203170
3) Take the SANS IIoT Survey by April 9 to enter to win a $400 Amazon gift card! http://www.sans.org/info/203175
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
US Dept. of Education RFI on Cybersecurity Workforce Development
(March 23, 2018)
The US Department of Education office of the Chief Information Officer (CIO) has issued a request for information (RFI) regarding cybersecurity workforce development. The RFI seeks answers to 12 questions, including workforce organization, identification of talent gaps, and advice for what kind of training to provide.
Responses will be accepted through April 3, 2018.
[Editor Comments]
[Paller] These are well-crafted questions, many of which have been the subject of a 4 year research project involving 11 very large employers from national intelligence agencies (US and allies) to civilian agencies (law enforcement and others) to banks and telecoms. The result of that work is a roadmap (which will change as the threats change) that SANS' larger clients now use in determining what skill development (over what time period) is needed for each critical cybersecurity role. One of the great challenges was figuring out which parts of the NICE Framework matter and which are misleading and will, if followed, lead to placing incompetent people in critical roles.]
Read more in:
Nextgov: Education Department Knows It Needs Cyber Skills, But Doesn't Know Which Ones
--
Alleged Carbanak Mastermind Arrested in Spain
(March 26, 2018)
Police in Spain have arrested an individual identified as Denis K. who is believed to be the mastermind behind the Carbanak (also known as Cobalt) malware. The malware was used in attacks against financial institutions that netted the alleged thieves nearly 1 billion euros ($1.25 billion USD.)
[Editor Comments]
[Honan] Major kudos to all involved in breaking this case and leading to this arrest. This particular case is a great example of how international cooperation between law enforcement agencies can deal with cybercriminals and should be used as an example to encourage more of this type of operation.
Read more in:
Reuters: Spanish police arrest suspected mastermind of $1 billion bank hacks
Cyberscoop: Cybercrime gang leader who caused ATMs to spit cash is arrested
BBC: Billion euro cyber-suspect arrested in Spain
http://www.bbc.com/news/technology-43543483
ZDNet: Europol tracks down suspected leader of Carbanak malware campaigns
http://www.zdnet.com/article/europol-tracks-down-suspected-leader-of-carbanak-malware-campaigns/
Bleeping Computer: Leader of Carbanak (Cobalt) Hacker Group Who Stole Over ?1BIL Arrested in Spain
https://www.bleepingcomputer.com/news/security/leader-of-carbanak-cobalt-hacker-grou
p-who-stole-over-1bil-arrested-in-spain/
--
Chrome Extension Warns of URLs with Non-Standard Unicode Characters
(March 26, 2018)
A new Chrome extension will alert users of the browser when they attempt to visit a domain that includes non-standard Unicode characters. Phishers and other scammers have been known to create URLs that use Unicode characters which appear identical to Latin characters. The practice is known as "internationalized domain name (IDN) homograph attack, or a Unicode attack." Some browsers use Punycode, which replaces Unicode characters with other characters that make it abundantly clear that the URL is suspect. Chrome displays the Punycode version of a URL in title bar but not the address bar. The new extension will display a red window when users are attempting to view a site whose URL contains Unicode characters.
[Editor Comments]
[Neely] Google initially released a fix to display Punycode in version 59, but only in the address bar; this plugin makes it even more evident that something is afoot. Firefox users can enable "IDN_show_punycode" to at least reveal the encoded domain names. Edge and Vivaldi browsers show these by default. Having the clear alert from this plugin takes this to the same level, challenging the user before allowing the connection to continue.
Read more in:
Bleeping Computer: Chrome Extension Detects URL Homograph (Unicode) Attacks
--
GoScanSSH Malware Targets Linux Systems
(March 26, 2018)
GoScanSSH malware targets Linux-based systems and takes pains to avoid infecting machines on government, military, and law enforcement networks. The machines that GoScanSSH does infect are part of a botnet, but it is not yet clear what this botnet's purpose is.
Read more in:
Bleeping Computer: GoScanSSH Malware Avoids Government and Military Servers
--
UK Anti-Doping Agency Cyberattack
(March 26, 2018)
The UK Anti-Doping (UKAD) Agency was recently the target of a cyberattack. The organization's systems hold UK athletes' drug test results and medical records. UKAD became aware of the breach over the weekend on March 24-25. UKAD said that no core activity was affected.
Read more in:
BBC: UK Anti-Doping confirms cyber attack but says no athlete data lost
http://www.bbc.com/sport/43549652
Reuters: Doping: UK agency says no data lost in weekend cyber attack
The Hill: UK anti-doping agency hit by cyberattack
http://thehill.com/policy/cybersecurity/380328-uk-anti-doping-agency-hit-by-cyberattack
--
Cybersecurity Needs to Adapt to Attract and Retain Women in the Field
(March 26, 2018)
Winifred Poster's article outlines ways in which cybersecurity needs to adapt to bring more women into the field: acknowledging women's contributions to the field; recognizing diverse expertise; shedding sexist images; and realizing that females are prime targets of cybercrime. The field as a whole must be more receptive to and welcoming of women. Media and conferences need female speakers. Employers need to seek job candidates beyond computer science, and to hire cohorts of women to avoid isolation and tokenism.
Read more in:
Nature: Cybersecurity needs women
https://www.nature.com/articles/d41586-018-03327-w
--
Internet Engineering Task Force Approves TLS 1.3 Protocol
(March 23 & 25, 2018)
The Internet Engineering Task Force (IETF) has approved the Transport Layer Security (TLS) 1.3 protocol, which aims to prevent eavesdropping. The Financial Services Roundtable, a banking industry group, has sought to include a means for banks and other organizations that retain data to more easily decrypt connections for a variety of reasons. The request met with objection and was ultimately not included in the newest version of the protocol.
[Editor Comments]
[Neely] TLS 1.3 by default disables weak algorithms that plagued SSL 3.0 and TLS 1.0 security efforts as well as the addition of forward secrecy which prevents decryption of past messages using the current private key shuts down common attack vectors. The defeat of the request to permit decryption is key in ensuring the strength and adoption of the protocol, another rehash of "should encryption have a backdoor". A side effect is that TLS/SSL inspection solutions will not work with TLS 1.3.
Read more in:
IETF: Protocol Action: 'The Transport Layer Security (TLS) Protocol Version 1.3' to Proposed Standard
https://www.ietf.org/mail-archive/web/ietf-announce/current/msg17592.html
The Register: World celebrates, cyber-snoops cry as TLS 1.3 internet crypto approved
http://www.theregister.co.uk/2018/03/23/tls_1_3_approved_ietf/
Bleeping Computer: IETF Approves TLS 1.3 as Internet Standard
https://www.bleepingcomputer.com/news/security/ietf-approves-tls-13-as-internet-standard/
Cyberscoop: The internet's most important security protocol is finally moving forward
https://www.cyberscoop.com/tls-1-3-approved/
eWeek: TLS 1.3 Encryption Standard Moves Forward, Improving Internet Security
http://www.eweek.com/security/tls-1.3-encryption-standard-moves-forward-improving-internet-security
--
DOJ and Phone Encryption
(March 24, 2018)
Federal law enforcement officials in the US are renewing their efforts to require technology companies to build tools into devices that would allow access to encrypted information. FBI and the US Department of Justice (DOJ) are meeting with researchers to find a way to allow "extraordinary access" to encrypted devices for law enforcement.
[Editor Comments]
[Neely] Encryption backdoors, particularly state sponsored, are of particular concern when you're not in that sponsoring state, let alone for members of that state. Proper use of key escrow and mobile device management allow for appropriate access to encrypted contents, rather than including a weakness in the protection measures.
[Honan] Enabling ways for encryption to be undermined leads to an insecure ecosystem for all, not just the criminals. Also, changing the phrasing for what they are looking for, whether that be "extraordinary access", "golden keys", or "enhanced access", does not get away from the fact that what is being sought is pure and simple a backdoor.
Read more in:
NYT: Justice Dept. Revives Push to Mandate a Way to Unlock Phones
https://www.nytimes.com/2018/03/24/us/politics/unlock-phones-encryption.html
--
Microsoft Windows Server Won't Authenticate Unpatched RDP Clients
(March 23, 2018)
Microsoft Windows Server will refuse to authenticate RDP clients that have not been patched against a flaw that could be exploited to take control of vulnerable systems and infiltrate networks. Microsoft released a patch for the issue on Tuesday, March 20.
[Editor Comments]
[Neely] Implementing a posture check before permitting a connection is not a new idea, often seen before permitting VPN connections to complete, disallowing insecure client connections should be SOP. This is the second of two patches to resolve CVE-2018-0886 which allows for MITM actors to pose as a legitimate user while sending arbitrary commands to the server. Be sure to set local policies to require patched client connections after all servers and clients are patched, otherwise examine the use of the Mitigated an Vulnerable GPO settings.
Read more in:
The Register: Microsoft to lock out Windows RDP clients if they are not patched against hijack bug
--
R2D2 System Prevents Data Loss from Disk Wipers
(March 23, 2018)
Researchers at Purdue University have developed a technique to help prevent data loss from disk-wiping malware. The Reactive Redundancy for Data Destruction Protection, or R2D2, system "analyzes write buffers before they can reach a storage medium, determines if the write is destructive, and preserves the data under destruction."
Read more in:
Purdue Engineering: Reactive Redundancy for Data Destruction Protection (R2D2) (PDF)
The Register: 'R2D2' stops disk-wipe malware before it executes evil commands
INTERNET STORM CENTER TECH CORNER
Malicious Word Document Displays Error Message
New Google Chrome Extension Protects Users from IDN Domains
https://github.com/phishai/idn-protect-chrome
Facebook Android App Collected SMS Messages and Call Data
https://twitter.com/dylanmckaynz/status/976368845635035138
TLS 1.3 Impact on Middleware Boxes
https://tools.ietf.org/id/draft-camwinget-tls-use-cases-00.html
Simple Windows IRC Bot With Obfuscated PE Header
https://isc.sans.edu/forums/diary/Windows+IRC+Bot+in+the+Wild/23483/
iOS QR Code Obfuscation Bug
https://infosec.rm-it.de/2018/03/24/ios-camera-qr-code-url-parser-bug/
Open Source Security Orchestration
https://www.getorchestrator.com
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create