SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #30
April 17, 2018Learn about "The Five Most Dangerous Attack Techniques, and What's Coming Next" from SANS Institute leaders Alan Paller, Ed Skoudis, Johannes Ullrich, and James Lyne LIVE from RSA, tomorrow, April 18. Scheduled to live stream at 11:15 am PT via https://www.rsaconference.com/live, hear the panel discuss this year's greatest threats and mitigation techniques, and answer live questions from attendees.
****************************************************************************
SANS NewsBites April 17, 2018 Vol. 20, Num. 030
****************************************************************************
TOP OF THE NEWS
Legislators Seek Answers from FBI Director About Unlocking iPhones
Telegram Messaging App Officially Banned in Russia
Android Vendors Not Truthful About Patch Completeness
Solution Found for Bringing Talented Women Into Cybersecurity
REST OF THE WEEK'S NEWS
Transcom Head Says Commercial Transportation Lacks Adequate Cybersecurity
Inogen Breach Compromised Medical Device Customer Data
Google Removes Mobile APT Apps from Google Play Marketplace
Intel SPI Flash Configuration Flaw
EITest Malware Distributor Taken Down
Sentence for PenAir Hacker
DOE Cyber Defense Challenge
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By SANS ******************************
Join SANS for the 2nd Annual Automotive Cybersecurity Summit, May 7-8, in Chicago. Through in-depth presentations and interactive panels, attendees will explore and discuss flashpoints around the following topics: autonomous vehicles, V2X security, automotive cybercrime, smart infrastructures, over-the-air updates, electric vehicle charging systems, and the rapidly evolving automotive threat landscape. More information: http://www.sans.org/info/203430
*****************************************************************************
-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018
-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018
-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018
-- SANS Northern VA Reston Spring 2018 | May 20-25 | https://www.sans.org/event/northern-va-reston-spring-2018
-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018
-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018
-- SANS London June 2018 | June 4-12 | https://www.sans.org/event/london-june-2018
-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018
-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Special Offer: Get a 12.9" iPad Pro, HP ProBook 450 G5 or take $350 off your OnDemand or vLive course by April 18.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
Live Daytime training with Simulcast - https://www.sans.org/simulcast
Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
Legislators Seek Answers from FBI Director About Unlocking iPhones
(April 13, 2018)
Ten US legislators have sent a letter to FBI Director Christopher Wray asking about the agency's ability to decrypt seized iPhones. While Wray has been vocal about the FBI's inability to break into 7,800 phones last year, a report from Department of Justice (DOJ) Office of Inspector General (OIG) indicated that in the case of the San Bernardino shooter's iPhone, the FBI did not explore all possible avenues for accessing the data it held before seeking a court order to force Apple to decrypt the device. The report observes that the FBI did not consult third party companies that have the capability to break into iPhones and that it did not ask its own remote Operations Unit (ROU) for help.
[Editor Comments]
Murray--The issue is not whether the FBI can access these phones but how much it costs. Recent reports suggest that, at wholesale, the cost is hundreds to thousands of dollars. The FBI seems more interested in passing the cost to others than in accessing the evidence.
Read more in:
House: Letter to FBI Director Christopher Wray (PDF)
https://lofgren.house.gov/uploadedfiles/letter_to_fbi_dir_wray_re_going_dark.pdf
The Hill: Lawmakers question FBI director on encryption
http://thehill.com/policy/cybersecurity/383046-lawmakers-question-fbi-director-on-encryption
Telegram Messaging App Officially Banned in Russia
(April 13, 2018)
Russian news agency TASS is reporting that a Moscow federal court has granted the government's request that the Telegram messaging app be banned in that country. Roskomnadzor, Russia's internet and communications regulator, filed the suit earlier this month after Telegram refused to turn over encryption keys.
[Editor Comments]
[Ullrich] Russia's actions show how difficult it can be to block services like Telegram. Russia apparently does not have the same content specific filtering capability that China uses, and relies more on blocking IP addresses, which is easily evaded by Telegram by moving to cloud providers. The result right now is that Russia saw itself forced to block large parts of Amazon's and Google's cloud, which in turn affected a lot of other services as well. Expect this cat&mouse game to continue for a while with Telegram changing providers and Russia blocking them. From a business point of view, this may have helped Telegram. Telegram has seen a huge surge in new subscribers due to it not being willing to give up subscriber information to Russia.
Williams - Within hours of Telegram being blocked, well meaning people set up Telegram proxies in public cloud services. As the Russian government began blocking these IP addresses, they simply moved the services to new cloud servers. The Russian government quickly became tired of playing Whack-a-mole and set blocked entire IP address ranges for Amazon EC2 and other cloud providers. These IP ranges clearly do much more than host Telegram proxies, so this is likely to create very real issues for Russian businesses. Take note of the fallout - this is why infosec professionals generally recommend against blocking entire ranges of IP addresses. Also, this should be seen as a failure for attempting to censor Telegram (and other encrypted messaging applications).
Murray-Private communications among the governed are always an inconvenience for the governing class and will be resisted. Telegram is an implementation of device-to-device encryption and should not be relied upon to resist nation states or for "life and death" applications.
Read more in:
Ars Technica: "Privacy is not for sale," Telegram founder says after being banned in Russia
ZDNet: After court battle, Russia finally bans Telegram app
https://www.zdnet.com/article/russia-starts-blocking-telegram-encrypted-chat-app/
BBC: Russia to block Telegram app over encryption
http://www.bbc.com/news/technology-43752337
Android Vendors Not Truthful About Patch Completeness
(April 12, 13, & 14, 2018)
Karsten Nohl and Jakob Lell of Security Research Labs in Germany found that many Android device manufacturers are not truthful about the patches they have provided. Nohl and Lell reverse-engineered Android phone OS source code to see if the devices contained the patches the manufacturer claimed they did. "Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks."
[Editor Comments]
Pescatore - The good news is that the phone vendors with the worst patch performance represent less than 15% of the overall global cellphone market. Android security mechanisms also make many of the vulnerabilities difficult to exploit, as well - but carriers should use data like this to withhold certification for use on their networks.
[Neely] Evidence that a patch may not have been incorporated into the update for a given vendors hardware doesn't necessarily mean there is an exploitable vulnerability. The discrepancy in delivered fixes is driven from the nature of the Android ecosystem, where hardware vendors have to compile and adjust the base OS to operate on their delivered hardware, on their supported devices. Plan to replace devices every two to three years to stay supported. The recurring (most common) theme in hacking Android is installing malicious applications. (See article about Google removing APT from Play Store), Application sandboxing, Google Play Protect and devices which run the newer OS versions provide protections above the vendor specific portions of the Android OS to mitigate these risks.
Read more in:
SRL Labs: The Android ecosystem contains a hidden patch gap
https://srlabs.de/bites/android_patch_gap/
Wired: How Android Phones Hide Missed Security Updates From You
https://www.wired.com/story/android-phones-hide-missed-security-updates-from-you/
The Register: Exposed: Lazy Android mobe makers couldn't care less about security
http://www.theregister.co.uk/2018/04/13/slow_android_security_fixes/
ZDNet: Is your Android phone a 'toxic hellstew' of vulnerabilities? There's an app to help you find out
Bleeping Computer: Researchers Catch Android OEMs Lying About Security Patches
Threatpost: Don't Trust Android OEM Patching, Claims Researcher
https://threatpost.com/dont-trust-android-oem-patching-claims-researcher/131183/
Solution Found for Bringing Talented Women Into Cybersecurity
(April 13, 2018)
Just 26 percent of STEM jobs are filled by women, and the number of women in cybersecurity is a considerably lower 11 percent. A number of factors work against the inclusion of women in the field of cybersecurity: societal expectations, failing to self-identify, and the fact that cybersecurity can be perceived as non-collaborative. The Girls Go CyberStart challenge aims to give female high school students the opportunity to explore cybersecurity and decide if it is a field they would like to pursue.
Read more in:
NBC: Jobs in cybersecurity are exploding. Why aren't women in the picture?
************************** SPONSORED LINKS ********************************
1) Don't Miss: "Fighting Account Takeover - Change The Battle and Win" Register: http://www.sans.org/info/203435
2) How do complex systems affect the cost of your endpoint management? Take our survey: http://www.sans.org/info/203440
3) SANS Analyst and pen-testing professional Serge Borso discusses the insights he gained during his hands-on testing of the BreakingPoint appliance. Register: http://www.sans.org/info/203445
*****************************************************************************
THE REST OF THE WEEK'S NEWS
Transcom Head Says Commercial Transportation Lacks Adequate Cybersecurity
(April 10, 2018)
The US military relies on commercial transportation for large-scale troop mobilization. Air Force General Darren McDew, who heads the US Transportation Command (Transcom), says those companies do not have adequate cybersecurity. DoD can impose strict cybersecurity requirements within its own organization, but has little sway on outside contractors. Although Transcom has the authority to examine contractor cybersecurity, McDew says that without national cybersecurity standards, Transcom could face difficulties finding vendors who are willing to adequately secure their systems.
[Editor Comments]
Pescatore - The DoD spends enough money that it has never had to wait for national standards to make private industry to move. The DoD could follow the lead of the Australian Government and making demonstration and monitoring of basic security hygiene (such as the Australian Signals Directorate's Top 4) mandatory.
Read more in:
FCW: Transcom head warns of cyber risks to civilian infrastructure
https://fcw.com/articles/2018/04/10/transcom-cyber-mcdew.aspx?admgarea=TC_Security
Inogen Breach Compromised Medical Device Customer Data
(April 13 & 16, 2018)
Medical device manufacturer Inogen has acknowledged that an employee's email account was compromised, potentially exposing the personal information of 30,000 current and former customers. The compromised data include names, contact information, dates of birth and death, Medicare identification numbers, and insurance policy information. The incident, which occurred some time during the first three months of 2018, was disclosed in an April 13 Securities and Exchange Commission (SEC) filing. Inogen manufactures portable oxygen devices.
Read more in:
SC Magazine: Medical supplier Inogen hit with breach, 30,000 possibly affected
SEC: FORM 8�x2011K: INOGEN, INC. (Item 8.01)
https://www.sec.gov/Archives/edgar/data/1294133/000156459018008092/ingn-8k_20180413.htm
Google Removes Mobile APT Apps from Google Play Marketplace
(April 16, 2018)
Google has removed three mobile advanced persistent threat (mAPT) apps from the Google Play Store after learning of their presence. The apps were designed to conduct surveillance on targets in the Middle East. The apps likely made their way onto the marketplace because they appear relatively innocuous; the surveillance components are downloaded in a second stage.
Read more in:
Threatpost: Google Play Boots Three Malicious Apps from Marketplace Tied to APTS
https://threatpost.com/google-play-boots-three-malicious-apps-from-marketplace-tied-to-apts/131214/
Ars Technica: Sophisticated APT surveillance malware comes to Google Play
Intel SPI Flash Configuration Flaw
(April 15, 2018)
Intel has released fixes for a flaw in the configuration of some of its CPUs that could be exploited to manipulate the chip's SPI Flash memory and create denial of service conditions.
Read more in:
Intel: Unsafe Opcodes exposed in Intel SPI based products
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00087&languageid=en-fr
Bleeping Computer: Intel SPI Flash Flaw Lets Attackers Alter or Delete BIOS/UEFI Firmware
EITest Malware Distributor Taken Down
(April 14 & 16, 2018)
Proofpoint, BrilliantIT, and Abuse.ch worked together to sinkhole the EITest malware network command and control structure. EITest was used to redirect users from legitimate sites to sketchy sites that served malware, exploit kits, and tech support scams.
Read more in:
The Register: Security bods liberate EITest malware slaves
http://www.theregister.co.uk/2018/04/16/security_bods_set_free_eitest_malware_slaves/
Bleeping Computer: Researchers Take Down Network of 52,000 Infected Servers Distributing Malware
Sentence for PenAir Hacker
(April 12, 2018)
Suzette Kugler, a former PenAir airline employee. has been sentenced to five years of probation for surreptitiously creating high-privilege user accounts on the company's database and using those accounts to destroy data, making it impossible for employees to book, ticket, modify, or board flights. PenAir was able to remediate the damage caused by Kugler overnight, minimizing disruption to its customers. Kugler, who had administered the company's ticketing and reservations database, has already paid more than $5,600 USD in restitution.
Read more in:
DOJ: Former Airline Employee Sentenced For Hacking PenAir's Ticketing And Reservations System
DOE Cyber Defense Challenge
(April 10, 2018)
Earlier this month, the US Department of Energy (DOE) held its third Cyber Defense Challenge. Twenty-five teams of college students competed to defend networks they had built from attacks. The competition was hosted at three DOE sites around the country at Pacific Northwest National Laboratory in Washington state, Argonne National Laboratory in Illinois, and Oak Ridge National Laboratory in Tennessee. Winners were names at each site; the team from Lewis University (Illinois) was the overall champion.
Read more in:
Energy: Lewis University Wins DOE's 2018 Cyber Defense Competition
https://www.energy.gov/articles/lewis-university-wins-doe-s-2018-cyber-defense-competition
Nextgov: College Students Battle To Control the Power Grid in Energy Department Challenge
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Drupal Update
https://isc.sans.edu/forums/diary/Drupal+CVE20187600+PoC+is+Public/23549/
Android Patch Gap
https://srlabs.de/wp-content/uploads/2018/04/SRLabs-Mind_the_gap-Android_Patch_Gap-HITB_2018.pdf
Google Testing "Self Destruct" E-Mails
https://techcrunch.com/2018/04/13/google-is-testing-self-destructing-emails-in-new-gmail/
Telegram vs. Russia Blocking
Intel Fixes SPI Flash Flaws
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00087&languageid=en-fr
https://pcsupport.lenovo.com/us/en/product_security/ps500160
PowerHammer: Data Exfiltration via Power Lines
https://arxiv.org/pdf/1804.04014.pdf
State Actor Attacks Against Network Equipment
https://www.us-cert.gov/ncas/alerts/TA18-106A
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
