SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #42
May 29, 2018****************************************************************************
SANS NewsBites May 29, 2018 Vol. 20, Num. 042
****************************************************************************
TOP OF THE NEWS
FBI: Reboot Your Router
Many Mobile Devices Not Running Current Operating Systems
Increased Cybersecurity Salaries: What Factors Matter Most?
?
REST OF THE WEEK'S NEWS
Oracle Dropping Support for Java Serialization
US-CERT Offers Advice on Securing Home Networks
Proposed NDAA Provision Would Require Disclosure of Foreign Code Sharing
GAO, OIG Reports Find Significant Security Weaknesses at NASA
Some Android Phones Shipping with Adware Pre-Installed
L0pht Members 20 Years Later: Internet Faces Same Basic Security Problems
Financial Institutions Follow DHS's Lead to Establish Cybercrime Fusion Centers
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk ***************************
Fraud is a growing problem as more parts of our lives are being touched by digitization. Download a free copy of A Guide to Fraud in the Real World to learn how much fraud is growing across different industries and how organizations are using machine data to find anomalies to fight fraud. http://www.sans.org/info/204295
*****************************************************************************
-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018
-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018
-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 | https://www.sans.org/event/cloud-insecurity-summit-dc
-- Cloud In-Security Summit - Austin | Austin, TX | June 11 | https://www.sans.org/event/cloud-insecurity-summit-tx
-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018
-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018
-- SANS London July 2018 | July 2-7 | https://www.sans.org/event/london-july-2018
-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018
-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018
-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off with SANS Online Training until May 30.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANScourse catalogand Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--
FBI: Reboot Your Router
(May 25, 27, & 28, 2018)
The FBI is urging users to reboot their home routers after malware known as VPNFilter was found to have infected more than 500,000 devices. Users should also update their devices' firmware and change the passwords. VPNFilter targets networking equipment from Linksys, MikroTik, NetGear, and TP-Link and QNAP network-attached storage devices. VPNFilter steal websites credentials and can issue a command that bricks infected devices. While the router reboot does not remove all of the malware, authorities have seized control of the command and control domain.
[Editor Comments]
[Murray] Probably will not hurt anything but the advice really applies to only a small portion of the router population.
[Neely] While VPNFilter contains characteristics that can persist across reboots, rebooting is a good way to disrupt any existing communication channels. As the ultimate fix is a factory reset, be sure that your router is one of the affected devices first. If you're reconfiguring your router from scratch, follow the guidance from CERT ST15-002. Some home routers come with the ability to have the router reboot itself regularly as part of device health and stability. Rebooting once a week can help insulate yourself from issues like this, and keep data structures which sometime fill and cause performance issues clean and functional.
[Northcutt] When it is a simple as pull the power cord out and reinsert and that *might* clear stage 1 infection and certainly gives law enforcement a fighting chance I am all for it. Routers are just computers and computers usually feel better after a reboot.
Read more in:
IC3: Foreign Cyber Actors Target Home and Office Routers and Networked Devices Worldwide
https://www.ic3.gov/media/2018/180525.aspx
KrebsOnSecurity: FBI: Kindly Reboot Your Router Now, Please
https://krebsonsecurity.com/2018/05/fbi-kindly-reboot-your-router-now-please/
NYT: F.B.I.'s Urgent Request: Reboot Your Router to Stop Russia-Linked Malware
https://www.nytimes.com/2018/05/27/technology/router-fbi-reboot-malware.html
The Register: FBI to World+Dog: Please, try turning it off and turning it back on
http://www.theregister.co.uk/2018/05/28/fbi_vpnfilter_hunt/
Ars Technica: FBI tells router users to reboot now to kill malware infecting 500k devices
--
Many Mobile Devices Not Running Current Operating Systems
(May 23, 2018)
Statistics from Duo Security indicate that as many as 90 percent of 10.7 million Android devices in the US and Western Europe are not running up-to-date versions of the Android operating system. The problem lies in the fragmented nature of Android patch distribution; many Android users receive updates from manufacturers or carriers irregularly. Duo also found that 56 percent of iOS devices are not running the most current version of that operating system. Eighty-five percent of Chrome OS systems and 74 percent of macOS systems were found to be running outdated operating systems as well.
[Editor Comments]
[Neely] While Google has worked to improve this for some devices, before an update is available for a given device, the update has to pass through both the OEM and Mobile Operator for vetting and verification, which slows the process, if the OEM supports updates in the first place. Updates are available for at most three years on Android devices, (OS updates up to two years, Security only for the last year) while IOS supports four year old, and sometimes older devices with their latest iOS versions. Glitches in the latest iOS releases, such as battery life woes with 11.3.1, are slowing uptake; it remains a good idea to keep rolling to continue the updates as they often address security weaknesses, particularly in WebKit and other browser technology.
Read more in:
Cyberscoop: No one is updating their Android devices, new data shows
https://www.cyberscoop.com/android-updates-out-of-date-duo-security/
--
Increased Cybersecurity Salaries: What Factors Matter Most?
?(May 29, 2018)
Cybersecurity salaries are going through both small and large transitions as employers discover factors that once determined security salaries now matter less and other factors gain value. Please share data on your experiences to provide sufficient data for employers, employees and job candidates to be able to make confident decisions. The 12-question survey takes only about 5 minutes.
Survey Methods: Cyber Salary Survey 2018
http://app.surveymethods.com/EndUser.aspx?BA9EF2EABCFBEEE8BF
************************** SPONSORED LINKS ********************************
1) Don't Miss: "True DetectiveAutopsy of latest O365 and AWS threats" with John Pescatore. Register: http://www.sans.org/info/204300
2) Cisco Webcast: "We pass the costs to you! An analysis of cryptomining and cryptojacking" Register: http://www.sans.org/info/204305
3) How are you dealing with the rapid evolution of Secure DevOps? Take the SANS 2018 Secure DevOps Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/204310
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Oracle Dropping Support for Java Serialization
(May 28, 2018)
Oracle plans to end support for Java serialization, which has been the source of many security issues. Oracle's Java platform group chief architect Mark Reinhold said that adding serialization to Java in 1997 was a horrible mistake. Oracle has not set a date for ending serialization support.
[Editor Comments]
[Murray] One remembers the security claims that were made for Java (also Chrome) when it was released. As with many other products, security is sacrificed to features. The claims are washed away by the endless chain of announcement of security vulnerabilities and patches.Patching has become a necessary and routine part of doing business.
[Williams] This move is likely to result in worse security. Serialization support is not unique to Java - most object-oriented languages support it. While many Java developers implement serialization in an unsafe manner, the problem is the use of the feature, not the feature itself. Many applications we pentest today use serialization in a relatively safe manner and will require major refactoring to remove the feature.Rather than refactoring the applications, many organizations will simply opt to execute existing code on legacy Java versions, making everyone less secure.
Read more in:
Bleeping Computer: Oracle Plans to Drop Java Serialization Support, the Source of Most Security Bugs
--
US-CERT Offers Advice on Securing Home Networks
(May 25, 2018)
The US Department of Homeland Security's (DHS's) US-CERT has released revised guidance for securing home networks. Apart from the standard advice of updating software regularly, creating strong passwords, and being wary of possible malicious links, users are advised to install a firewall and enable wireless security on routers.
[Editor Comments]
[Neely] ST15-002 brings a number of best practices into a single easy to follow document. This is a great document to hand to someone asking to improve the security of their home network. Preferably before something happens.
[Murray] Most home networks have passive firewalls. While it may not be intuitive, the firewall is much more important than wireless security because most attacks come from the Internet.
Read more in:
US-CERT: Security Tip (ST15-002) Home Network Security
https://www.us-cert.gov/ncas/tips/ST15-002
Nextgov: US-CERT Explains How to Keep Your Home Network Secure
https://www.nextgov.com/cybersecurity/2018/05/how-keep-your-home-network-secure/148478/
--
Proposed NDAA Provision Would Require Disclosure of Foreign Code Sharing
(May 24 & 25, 2018)
The US Senate Armed Services Committee has passed a provision to the Pentagon's spending bill, known as the National Defense Authorization Act (NDA) that would require tech companies to disclose having allowed foreign adversaries to review their source code. Russia and China have required that US companies seeking to win contracts in those countries allow their source code to be reviewed. The House version of the bill includes provisions that would have the Defense Department (DoD) and the Department of Homeland Security (DHS) work closely to defend systems from hackers, and seeks prompt notification of data breaches affecting military personnel.
[Editor Comments]
[Pescatore] Since 2009, DoD policy has allowed the use of open source software in DoD systems, and open source software is widely used across DoD (and everywhere else) today. The UK requires Huawei and other vendors to provide source code for review. So, legislation to drive the US government to join in and require all suppliers to provide source code access would be positive from a security perspective; but this proposed disclosure would just be more reporting.
Read more in:
Nextgov: Senate Defense Bill Aims to Scrub Cyber Adversaries from U.S. Military Tech
Reuters: Exclusive: U.S. bill would force tech companies to disclose foreign software probes
Cyberscoop: House defense bill would usher in cybersecurity changes at DOD
https://www.cyberscoop.com/dod-cybersecurity-pentagon-ndaa-fiscal-2019/
-
GAO, OIG Reports Find Significant Security Weaknesses at NASA
(May 24, 2018)
According to reports from the Government Accountability Office (GAO) and NASA's Office of Inspector General, the space agency still has a long way to go to improve its cybersecurity posture. The GAO report calls attention to NASA's management and cybersecurity weaknesses. Two separate reports from NASA's OIG examine the agency's security operations center and its IT supply chain risk management.
Read more in:
Nextgov: Investigators Slam NASA for Numerous IT and Cybersecurity Shortcomings
GAO: NASA Information Technology: Urgent Action Needed to Address Significant Management and Cybersecurity Weaknesses
https://www.gao.gov/assets/700/691916.pdf
NASA OIG: Audit of NASA'S Security Operations Center
https://oig.nasa.gov/docs/IG-18-020.pdf
NASA OIG: Audit of NASA'S Information Technology Supply Chain Risk Management Efforts
https://oig.nasa.gov/docs/IG-18-019.pdf
-
Some Android Phones Shipping with Adware Pre-Installed
(May 24 & 28, 2018)
Researchers at Avast have found that several hundred different models of Android phones have Cosiloon adware pre-installed. The adware is installed at the firmware level. Most of the affected devices lack Google certification.
Read more in:
Engadget: Report finds Android malware pre-installed on hundreds of phones
Silicon.uk: Hundreds Of Android Smartphones Preloaded With Malware, Warns Avast
https://www.silicon.co.uk/mobility/smartphones/android-smartphones-preloaded-malware-avast-232957
Avast: Android devices ship with pre-installed malware
https://blog.avast.com/android-devices-ship-with-pre-installed-malware
-
L0pht Members 20 Years Later: Internet Faces Same Basic Security Problems
(May 22 & 24, 2018)
In May 1998, seven members of the L0pht hacker collective spoke before Congress, telling them any of the seven individuals seated before you could take down the Internet in 30 minutes. Twenty years later, four members of that group gathered to speak on a panel hosted by the Congressional Internet Caucus. They said that while technology has changed significantly over the past two decades, many of the underlying security concerns remain. Chris Wysopal noted that We keep building new things on old infrastructure that never seems to get fixed.
Read more in:
The Parallax: 20 years on, L0pht hackers return to D.C. with dire warnings
https://www.the-parallax.com/2018/05/24/l0pht-hackers-return-dire-warnings/
Washington Post: The Cybersecurity 202: These hackers warned Congress the internet was not secure. 20 years later, their message is the same.
Washington Post: A disaster foretold and ignored (**from 2015**)
https://www.washingtonpost.com/sf/business/2015/06/22/net-of-insecurity-part-3/
-
Financial Institutions Follow DHS's Lead to Establish Cybercrime Fusion Centers
(May 20, 2018)
Banks and other financial institutions are creating cybercrime fusion centers, patterned after the centers of the same name established by the Department of Homeland Security (DHS) to bring together federal, state, and local intelligence. The financial sector has even developed its own cyberattack simulation drill.
Read more in:
NYT: Banks Adopt Military-Style Tactics to Fight Cybercrime
https://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html
INTERNET STORM CENTER TECH CORNER
Ultrasound Mobile Location Tracking
https://isc.sans.edu/forums/diary/Do+you+hear+Laurel+or+Yanny+or+is+it+OnOff+Keying/23707/
Analyzing Malware Created with NSIS
https://isc.sans.edu/forums/diary/Quick+analysis+of+malware+created+with+NSIS/23703/
Obfuscated Word Macro
https://isc.sans.edu/forums/diary/Antivirus+Evasion+Easy+as+123/23701/
Z-Wave Attacks
https://www.pentestpartners.com/security-blog/z-shave-exploiting-z-wave-downgrade-attacks/
https://www.silabs.com/community/blog.entry.html/2018/05/23/tl_dr_your_door_is-g1zC
Electron Framework Protocol Handler Patch Bypass
https://blog.doyensec.com/2018/05/24/electron-win-protocol-handler-bug-bypass.html
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create