SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #37
May 11, 2018Webcast | The Five Most Dangerous New Attacks: The Rest of the Story
May 16, 20181pm ET (17:00:00 UTC)
Security experts Ed Skoudis, Johannes Ullrich, and James Lyne summarize the five most dangerous new attack techniques and how to defend against them, share updates from the RSAC panel, and open the floor to new questions.
Watch their RSAC panel from April 18, 2018: https://www.sans.org/the-five-most-dangerous-new-attack-techniques
Register for the webcast: https://www.rsaconference.com/videos/virtual-session-the-five-most-dangerous-new-attacks-the-rest-of-the-story
****************************************************************************
SANS NewsBites May 11, 2018 Vol. 20, Num. 037
****************************************************************************
TOP OF THE NEWS
Survey Finds Low Interest in Cybersecurity Careers Among Millennials (They didnt ask the right question.)
Cyber Command Elevated to Unified Combatant Command
REST OF THE WEEKS NEWS
Colorado Leads in Election Security
IBM Bans Removable Storage for Data Transfer
NIS Directive Now in Effect
Botnets Competing for Dasan GPON-Capable Routers
Bill Would Block Government from Requiring Encryption Back Doors
Microsoft Patch Tuesday
Vendors Release Updates to Address Flaw Introduced by Misinterpreted Intel Documentation
Georgia Governor Vetoes Unauthorized Computer Access Bill
Assigning Cost to the Mirai Botnet DDoS Attack Against KrebsOnSecurity
Lawrence Livermore National Laboratory Conducts Science Bowl Cybersecurity Challenge
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By SecurityMatters ******************
How can you proactively improve your ability to better detect and respond to threats? Register for "Threat Management Made Easy: How to Protect Your ICS Network with Less Effort" http://www.sans.org/info/203895
*****************************************************************************
-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018
-- SANS Northern VA Reston Spring 2018 | May 2025 | https://www.sans.org/event/northern-va-reston-spring-2018
-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018
-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018
-- SANS London June 2018 | June 4-12 | https://www.sans.org/event/london-june-2018
-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018
-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 | https://www.sans.org/event/cloud-insecurity-summit-dc
-- Cloud In-Security Summit - Austin | Austin, TX | June 11 | https://www.sans.org/event/cloud-insecurity-summit-tx
-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018
-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Special Offer: Get an iPad, a Samsung Galaxy Tab A, or take $250 Off with OnDemand or vLive Training until May 16.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Survey Finds Low Interest in Cybersecurity Careers Among Millennials (They didnt ask the right question.)
(May 8, 2018)
According to a report from ProtectWise and Enterprise Strategy Group, just nine percent of millennials are interested in pursuing a career in cybersecurity. On the 524 people surveyed, nearly half had been in a STEM program during their K-12 education. Many expressed interest in computer-related careers, but the low interest in cybersecurity may be due to a lack of awareness: most of those surveyed do not know any cybersecurity professionals, and many have not had any cybersecurity classes.
[Editor Comments]
[Paller] Sixteen U.S. governors sponsored a program for high school students that doubled the percent interested in cyber security careers from 36% to 70%. This problem is hard only for people who lecture to millennials instead of enabling them to experience the excitement of solving actual cybersecurity problems.
Cyberstart.us for overview
and
https://www.sans.org/CyberStartUS/girls-go-cyberstart-feedback
for details on the doubling of interest in STEM careers (in just 6 days of experience).
[Pescatore] I think it just as important (if not more) to see kids interested in computer related careers think Hey, that would be cool to build apps/systems/businesses that bad guys cant break into.
Read more in:
Tech Republic: Only 9% of millennials are interested in a cybersecurity career
https://www.techrepublic.com/article/only-9-of-millennials-are-interested-in-a-cybersecurity-career/
ProtectWise: Survey Suggests Younger Generations, Including Females, May Fill The Cybersecurity Talent Gap
--
Cyber Command Elevated to Unified Combatant Command
(May 4 & 8, 2018)
On the same day that Army General Paul Nakasone was sworn in as Commander of US Cyber Command and director of the National Security Agency (NSA), US Cyber Command was elevated to an independent unified combatant command. Deputy Defense secretary Patrick Shanahan called the shift an acknowledgement that this new warfighting domain has come of age.
Read more in:
Fifth Domain: Nakasone takes helm at NSA and newly elevated Cyber Command
Military.com: Cyber Command Elevated to Combatant Command
https://www.military.com/defensetech/2018/05/04/cyber-command-elevated-combatant-command.html
Reuters: Pentagon's Cyber Command gets upgraded status, new leader
************************** SPONSORED LINKS ********************************
1) "Why Zero Trust Security is Essential for Your Cloud and Data Center" with Dave Shackleford. Register: http://www.sans.org/info/203900
2) "Defending Against the Rising Tide of Industrial CyberThreats: An OT CyberSecurity Case Study" Register: http://www.sans.org/info/203905
3) What experience and skills do you look for in a threat hunting expert? Take the SANS 2018 Threat Hunting survey at and enter to win a $400 Amazon gift card! http://www.sans.org/info/203910
*****************************************************************************
THE REST OF THE WEEKS NEWS
--
Colorado Leads in Election Security
(May 10, 2018)
Colorado is doing a lot of things right when it comes to making sure its elections are secure. All votes are recorded on paper ballots, and Colorado is one of just three US states to conduct risk-limiting audits. In addition, election officials participate in security training and IT staff conduct network security assessments.
[Editor Comments]
[Northcutt]
This article provides a look at the funding struggles faced by states seeking to replace outdated voting equipment: https://www.propublica.org/article/election-security-a-high-priority-until-it-comes-to-paying-for-new-voting-machines
[Pescatore] Most states have a Secretary of State or equivalent who has responsibility for elections. Very nice to see Colorado Secretary of State Wayne Williams leading the way in election security. DHS has finally started to move on treating election systems as Critical Infrastructure at the federal level, but it would be good to see the National Association of State Secretaries put real emphasis on their cybersecurity initiative.
[Paller] The Multi-State ISAC, under John Gilligan is establishing a new Voting Systems ISAC for the Secretaries of State and have published a handbook for local governments. It is posted at
www.cisecurity.org/wp-content/uploads/2018/02/CIS-Elections-eBook-15-Feb.pdf: A Handbook for Elections Infrastructure Security (PDF)
https://www.cisecurity.org/wp-content/uploads/2018/02/CIS-Elections-eBook-15-Feb.pdf
Read more in:
Washington Post: The Cybersecurity 202: How Colorado became the safest state to cast a vote
--
IBM Bans Removable Storage for Data Transfer
(May 10, 2018)
IBM is banning the use of removable storage devices, including Flash, USB, and SD cards, to transfer data. The policy is already in place at some IBM locations, but a new employee advisory says that the policy is now global. The company may be considering exemptions from the policy for certain circumstances, such as software updates.
Read more in:
The Register: IBM bans all removable storage, for all staff, everywhere
http://www.theregister.co.uk/2018/05/10/ibm_bans_all_removable_storage_for_all_staff_everywhere/
--
NIS Directive Now in Effect
(May 10, 2018)
The European Unions Security of Network Information Systems (NIS) Directive took effect on Thursday, May 10, 2018. The directive focuses on improving the security and resilience of systems at elements of critical infrastructure, including electricity, water, transportation, and healthcare.
Read more in:
SC Magazine UK: NIS Directive comes into force to boost infrastructure cyber-security
V3: European Union NIS directive comes into force today
https://www.v3.co.uk/v3-uk/news/3032001/european-union-nis-directive-comes-into-force-today
Computing: EU NIS Directive to boost cyber security of essential infrastructure comes into force
NCSC: The NIS Guidance Collection
https://www.ncsc.gov.uk/guidance/nis-guidance-collection
--
Botnets Competing for Dasan GPON-Capable Routers
(May 10, 2018)
At least five different botnets are competing with each other to exploit a pair of vulnerabilities in vulnerable Gigabit Passive Optical Network (GPON) capable routers made by Dasan. While the botnets have been trying to infect the routers, none has been successful.
Read more in:
ZDNet: Botnets 'competing' to attack vulnerable GPON fiber routers
https://www.zdnet.com/article/botnets-competing-to-attack-vulnerable-gpon-fiber-routers/
Bleeping Computer: Botnet Party on GPON Routers
https://www.bleepingcomputer.com/news/security/botnet-party-on-gpon-routers/
--
Bill Would Block Government from Requiring Encryption Back Doors
(May 10, 2018)
US legislators have introduced a bill that would prohibit the government from requiring tech companies to include backdoors in their products that would allow law enforcement to access information on the devices. The Secure Data Act is co-sponsored by a bipartisan group of House legislators. The bill follows in the wake of an FBI inspector general report found that the FBI did not exhaust all possible means of accessing information on the San Bernardino shooters iPhone before demanding that Apple assist them in breaking into the device.
[Editor Comments]
[Neely] There was a time where certain nations only permitted encryption that they had the ability to decode, either via a back door or brute force, then there was the clipper chip, the lesson learned was reliable trustworthy encryption cannot have a back door. This 32 line bill cuts to the core problem of continuing requests for a backdoor in encryption as well as court orders asking vendors to bypass or circumvent security. This should not be needed in a country competing for a piece of the global economy.
[Pescatore] Going back to the Clipper chip days, Ive always been on the side of strong crypto is needed for businesses to protect themselves and no strong crypto has backdoors. But, it just seems kind of wrong to have legislation to say the Government should not do the wrong thing
Read more in:
The Hill: Lawmakers move to block government from ordering digital back doors
Cyberscoop: Government would be barred from mandating crypto backdoors under House bill
Nextgov: Lawmakers Reintroduce Bill to Bar Government Encryption Backdoors
Lofgren: Secure Data Act of 2018 (PDF)
https://lofgren.house.gov/sites/lofgren.house.gov/files/Secure%20Data%20Act%202018.pdf
--
Microsoft Patch Tuesday
(May 8 & 10, 2018)
Among the security issues that Microsoft addressed in its monthly Patch Tuesday release are two critical remote code execution flaws in Windows that attackers are actively exploiting. In all, the May release addresses 68 CVEs, 21 of which are deemed critical.
Read more in:
MSRC: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
Ars Technica: Critical Windows bug fixed today is actively being exploited to hack users
Computerworld: Patch Tuesday problems, fixesbut no cause for immediate alarm
Dark Reading: Microsoft's Patch Tuesday Fixes Two CVEs Under Active Attack
KrebsOnSecurity:
Microsoft Patch Tuesday
, May 2018 Editionhttps://krebsonsecurity.com/2018/05/microsoft-patch-tuesday-may-2018-edition/
Threatpost: May Patch Tuesday Fixes Two Bugs Under Active Attack
https://threatpost.com/may-patch-tuesday-fixes-two-bugs-under-active-attack/131811/
--
Vendors Release Updates to Address Flaw Introduced by Misinterpreted Intel Documentation
(May 8 & 9, 2018)
Operating system (OS) developers at many major companies misinterpreted existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV to SS and POP to SS. OS vendors are now releasing fixes for the problematic implementation of a hardware debugging command.
Read more in:
CERT: Hardware debug exception documentation may result in unexpected behavior
https://www.kb.cert.org/vuls/id/631579
Threatpost: Major OS Players Misinterpret Intel Docs, and Now Kernels Can Be Hijacked
The Register: Every major OS maker misread Intel's docs. Now their kernels can be hijacked or crashed
http://www.theregister.co.uk/2018/05/09/intel_amd_kernel_privilege_escalation_flaws/
SC Magazine: Confusion over chipmakers' debug exception instructions prompts patching by OS developers
eWeek: Misunderstood Intel Documentation Leads to Multivendor Vulnerability
http://www.eweek.com/security/misunderstood-intel-documentation-leads-to-multivendor-vulnerability
--
Georgia Governor Vetoes Unauthorized Computer Access Bill
(May 9, 2018)
The governor of the US state of Georgia has vetoed a bill that had been criticized for being overly-broad in its definition of unauthorized computer access. Opponents of the measure said it could have hindered efforts to secure computer systems. The bill would also have allowed companies to hack back at cyber adversaries. Critics said that provision was likely to be abused for anti-competitive purposes.
[Pescatore] Good to see the balance of power at work and common sense prevailing.
Read more in:
SC Magazine: Georgia governor vetoes anti-bug bounty bill
https://www.scmagazine.com/georgia-governor-vetoes-anti-bug-bounty-bill/article/764858/
Ars Technica: Georgia governor vetoes cyber bill that would criminalize unauthorized access
--
Assigning Cost to the Mirai Botnet DDoS Attack Against KrebsOnSecurity
(May 7 & 9, 2018)
A study from researchers at the University of California, Berkeley School of Information assigned cost to the Mirai Internet of Things (IoT) botnet that took down the KrebsOnSecurity website for nearly four days in September 2016. The researchers estimated that the botnets distributed denial-of-service (DDoS) attack against the website cost device owners a total of nearly $324,000 USD, or approximately $13.50 USD per infected device in additional power and bandwidth consumption.
Read more in:
Groups.iSchool: Quantifying Consumer Costs of Insecure Internet of Things Devices
https://groups.ischool.berkeley.edu/riot/
KrebsOnSecurity: Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K
https://krebsonsecurity.com/2018/05/study-attack-on-krebsonsecurity-cost-iot-device-owners-323k/
The Register: Mirai botnet cost you $13.50 per infected thing, say boffins
http://www.theregister.co.uk/2018/05/09/berkeley_boffins_infect_things_with_mirai_in_a_good_cause/
--
Lawrence Livermore National Laboratory Conducts Science Bowl Cybersecurity Challenge
(May 10, 2018)
Lawrence Livermore National Laboratory (LLNL) and students from LLNLs Cyber Defenders program conducted the CyberCraft Cyber Challenge for middle school National Science Bowl finalists.
[Editor Comments]
[Neely] One of the Internship opportunities at LLNL is their Cyber Defenders programs. The program managers put out a broad call for projects, both to employees and participating schools, such as the CyberCraft Cyber Challenge. Mentoring these students is an awesome opportunity; if you are offered the chance, say yes. If your corporate internship program doesnt include a cyber security path, see if you can add one.
Read more in:
LLNL: Science bowl finalists take on cyber challenge
https://www.llnl.gov/news/science-bowl-finalists-take-cyber-challenge
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+May+2018+Patch+Tuesday/23637/
Basestriker Vulnerability Hitting Office 365
https://www.avanan.com/resources/basestriker-vulnerability-office-365
Wget Cookie Injection Vulnerability
http://seclists.org/fulldisclosure/2018/May/20
Lloyds Bank Phish Leads to Trickbot
https://isc.sans.edu/forums/diary/Nice+Phishing+Sample+Delivering+Trickbot/23641/
Firefox Group Policy Engine
https://www.bleepingcomputer.com/news/software/group-policy-support-coming-to-firefox-60/
OS Vendors Fix Intel Debug Flaw
https://www.kb.cert.org/vuls/id/631579
Cryptocoin Miner in Excel
https://charles.dardaman.com/js_coinhive_in_excel
DNS Exfiltration in Windows
https://isc.sans.edu/forums/diary/Exfiltrating+data+from+very+isolated+environments/23645/
Fake Electrum Wallet
https://github.com/spesmilo/electrum-docs/blob/master/decompiling_guide.md
Treasure Hunter PoS Malware Source Code Leaked
https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/
More Malicious Chrome Extensions Spreading via Facebook
https://blog.radware.com/security/2018/05/nigelthorn-malware-abuses-chrome-extensions/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create