Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #44

June 5, 2018

****************************************************************************

SANS NewsBites               June 5, 2018                Vol. 20, Num. 044

****************************************************************************


TOP OF THE NEWS


 

FireEye Report: State Election Systems at Risk

 

New York State and DHS to Hold Cybersecurity Exercises to Protect Election Integrity

 

NIST Seeking Comments on Lightweight Encryption Algorithm Project


REST OF THE WEEKS NEWS


 

Group Wants Atlanta to Publish Blameless Post-Mortem of Cyber Attack

 

Mobile App Developers Making Old Mistakes

 

Letter from DHS Official Says Evidence of Stingray Use in DC Area

 

Apple Updates, and Upcoming Security Enhancements

 

FBI and DHS Share Information About Malware Tied to Suspected North Korean Hackers

 

Valve Fixed 10-Year-Old Remote Code Execution Flaw in Steam

 

US Special Operations Command Stepping Up Digital Forensics Research


INTERNET STORM CENTER TECH CORNER


***************************  Sponsored By Splunk  ************************************


Download A Short Primer of GDPR Essentials. A cheat sheet to help both the data privacy expert and non-expert approach the GDPR with key takeaways.  http://www.sans.org/info/204415


*****************************************************************************


-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018


-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018


-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018


-- SANS London July 2018 | July 2-7 | https://www.sans.org/event/london-july-2018


-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018


-- Security Awareness Summit 2018 | Charleston, SC | August 6-15 | https://www.sans.org/event/security-awareness-summit-2018


-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018


-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018


-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad Mini, ASUS Chromebook, or Take $250 Off with SANS OnDemand and vLive Training until June 13.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************


TOP OF THE NEWS


 --

FireEye Report: State Election Systems at Risk

(May 31 & June 1, 2018)

A report from FireEye titled Attacking the Ballot Box notes that state and local election infrastructure is increasingly at risk for targeting by a range of threat actors, in particular state-sponsored cyber espionage actors. The report examines threats to electronic voter registration, state elections websites, voting machines, and election management systems.


Read more in:

SC Magazine: State elections systems still hackable, report

https://www.scmagazine.com/state-elections-systems-still-hackable-report/article/770533/

Bloomberg: State Election Systems Increasingly at Risk for Cyberattacks, FireEye Says

https://www.bloomberg.com/news/articles/2018-05-31/cyber-threats-to-state-election-systems-rising-fireeye-says

SC Magazine: Attacking the Ballot Box: Threats to Election Systems

https://media.scmagazine.com/documents/343/election_systems_report_85540.pdf



 --

New York State and DHS to Hold Cybersecurity Exercises to Protect Election Integrity

(May 31, 2018)

The New York State Board of Elections and the US Department of Homeland Security (DHS) will hold regional exercises to help protect the integrity of elections in the state. The tabletop exercises will identify areas for improvement in cyber incident planning, preparedness, and response through simulation of realistic scenarios attempting to undermine voter confidence, interfere with voting operations, and affect the integrity of elections. The six exercises will be held at locations around the state over the next three weeks.


[Editor Comments]


[Pescatore] The local nature of elections in the US means progress in security has to largely be driven locally as well, but DHS and the Election Infrastructure ISAC can play key roles in spreading lessons learned/what works from exercises like this one.


Read more in:

SC Magazine: N.Y. State, DHS to practice to protect election process

https://www.scmagazine.com/ny-state-dhs-to-practice-to-protect-election-process/article/769936/

NY Governor: Governor Cuomo and State Board of Elections Announce Regional Exercises to Strengthen Cybersecurity of New York's Election Infrastructure

https://www.governor.ny.gov/news/governor-cuomo-and-state-board-elections-announce-regional-exercises-strengthen-cybersecurity



 --

NIST Seeking Comments on Lightweight Encryption Algorithm Project

(June 4, 2018)

NIST has launched an initiative to solicit, evaluate, and standardize lightweight cryptographic algorithms that are suitable for use in constrained environments where the performance of current NIST cryptographic standards is not acceptable. Comments on the DRAFT: Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process will be accepted through June 28, 2018.


[Editor Comments]


[Pescatore] In the early days of web browsers and servers, there was a lot of software implementing crappy crypto under the guise of utilizing Secure Socket Layer. NIST drove FIPS 140-1 in 1994 to standardize how good crypto should be built and it greatly raised the bar for secure transport. The Internet of Things is causing a repeat of the crappy crypto eragood to see NIST driving this forward.

 

[Murray] For many applications and environments, the cryptographic algorithms, codes and ciphers that we use, are stronger than we need them to be. While they are computationally intensive, the cost of computation continues to fall. The problems that we have are not so much with the algorithms as with their selection, application, implementation, and operation. Therefore, as relates to IoT, what we really need are not new algorithms but implementations that are easy to use effectively and difficult to get wrong. Note that few IoT developers are using encryption at all and almost none are implementing it from scratch.  


[Neely] The hope here is to prevent a recurrence of the Infineon library problems from last fall which highlighted the need to implement the algorithm properly in a constrained environment. For those systems, consideration should be given to implementing encryption in hardware rather than attempting to add it to software on an already resource-constrained environment such as an IoT device.


Read more in:

CSRC.NIST: Lightweight Cryptography

https://csrc.nist.gov/Projects/Lightweight-Cryptography

CSRC.NIST: DRAFT: Submission Requirements and Evaluation Criteria for the Lightweight Cryptography Standardization Process

https://csrc.nist.gov/CSRC/media/Projects/Lightweight-Cryptography/documents/Draft-LWC-Submission-Requirements-April2018.pdf

Federal News Radio: Lily Chen: NIST launches program for lightweight encryption algorithms for better security

https://federalnewsradio.com/federal-drive/2018/06/nist-launches-program-for-lightweight-encryption-algorithms-for-better-security/


**************************  SPONSORED LINKS  ********************************


1) ThreatX Webcast: "Your Current Approach to Threat Detection & Neutralization is Broken" Register: http://www.sans.org/info/204420


2) How can you proactively improve your ability to better detect and respond to threats? Register to learn more: http://www.sans.org/info/204425


3) How are you dealing with the rapid evolution of Secure DevOps? Take the SANS 2018 Secure DevOps Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/204290


*****************************************************************************


THE REST OF THE WEEKS NEWS


 --

Group Wants Atlanta to Publish Blameless Post-Mortem of Cyber Attack

(June 4, 2018)

Code for Atlanta, a self-described bunch of civic-minded technologists, wants the city to publish a blameless post-mortem of the cyberattack that took down most of the citys computer systems for several days earlier this year. While authorities in Atlanta have acknowledged that they are working with the FBI and private companies, the city has not communicated what steps it is taking to prevent a recurrence. 


[Editor Comments]


[Pescatore] More public post-mortems of major breaches are needed, blameless or not. Taxpayer funded systems owe the taxpayers explanations on why their money wont be squandered again by the same vulnerabilities or lack of basic security hygiene.

 

[Northcutt] Atlanta taxpayers were unable to get basic services from their government, so of course they deserve an explanation. As every incident handler knows, blameless post-mortem may sound good, but this is almost certainly going to come down to failure to install and maintain patches.


[Honan] I have been advocating for a number of years for something similar to this. If we look at other industries, e.g. air travel, after every major incident an independent investigation is carried out and lessons learnt shared with all in the industry. We need to move beyond the blame culture rampant in our in industry and learn from each others incidents.

 

[Neely] In an age of transparency and stewardship of public trust, disclosure of what happened, the impacts, and how recurrence is being prevented needs to be SOP.

 

[Murray] While it might be nice to have documented evidence of breaches, it is not necessary. There are no secrets here. We know what we are doing wrong: we lack the will to fix it. Convenience trumps security.

 

[Williams] This is unlikely to happen in any incident response case. Rendition Infosec published information showing that that city had unpatched Internet facing systems which had been compromised a year before the ransomware incident. The fact that the City of Atlanta never disclosed these breaches suggests that they were unaware of them. This highlights a level of technical deficit in their IT operations that probably still has not been completely uncovered even months after the attack.


Read more in:

Nextgov: After a Major Cyberattack, Does the Public Deserve an Explanation?

https://www.nextgov.com/cybersecurity/2018/06/after-major-cyber-attack-does-public-deserve-explanation/148692/

Change.org: The City of Atlanta should publish a blameless post-mortem of the ransomware attack

https://www.change.org/p/mayor-keisha-lance-bottoms-the-city-of-atlanta-should-publish-a-blameless-post-mortem-of-the-ransomware-attack

 

 --

Mobile App Developers Making Old Mistakes

(June 4, 2018)

Researchers from Texas A&M University say that mobile app developers are making the same security mistakes that web developers made nearly twenty years ago, locating business logic in client-side code rather then in server-side code. In their paper, Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities, the researchers describe a system they have developed that analyzes mobile apps to see if they are vulnerable to HTTP request parameter injection attacks.


[Editor Comments]


[Murray] The app developer often has more control over the client side than the server side. Also, by definition, in the client-server model, servers are stateless. That is why we have cookies, to store state on the client side.


[Honan] And we will see similar issues in IOT devices. The root of a lot of our issues is that developers are being taught how to code but not how to code securely. We need to encourage colleges to include secure coding and design as a core part of all computer courses.


Read more in:

Bleeping Computer: Mobile Devs Making the Same Security Mistakes Web Devs Made in the Early 2000s

https://www.bleepingcomputer.com/news/security/mobile-devs-making-the-same-security-mistakes-web-devs-made-in-the-early-2000s/

TAMU: Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities

http://faculty.cs.tamu.edu/guofei/paper/WARDroid_SP18.pdf

 

 --

Letter from DHS Official Says Evidence of Stingray Use in DC Area

(May 22, June 1 & 4, 2018)

In a May 22, 2018 letter to Senator Ron Wyden (D-Oregon), a Department of Homeland Security (DHS) official wrote that the agencys National Protection and Programs Directorate (NPPD) conducted a pilot project in which it deployed sensors capable of detecting IMSI catcher activity in the Washington, DC area. The project did observe anomalous activity that appeared consistent with IMSI catcher technology within the area of the nations capital,[but] NDDP has neither validated nor attributed such activity to specific entities, devices, or purposes. The letter also acknowledges that DHS has received third-party reports about unauthorized IMSI catcher technology use as well as reports that vulnerabilities in Signaling System Seven (SS7) are being exploited to snoop on communications.   


Read more in:

Wyden: Letter from DHS Official Christopher Krebs

https://www.wyden.senate.gov/imo/media/doc/Krebs%20letter%20to%20Wyden%20after%20May%20meeting.pdf

SC Magazine: StingRays used near White House, other sensitive locations

https://www.scmagazine.com/stingrays-used-near-white-house-other-sensitive-locations/article/770660/

The Register: Stingray phone stalker tech used near White House, SS7 abused to steal US citizens' datajust Friday things

http://www.theregister.co.uk/2018/06/01/wyden_ss7_stingray_fcc_homeland_security/

Ars Technica: DHS found evidence of cell phone spying near White House

https://arstechnica.com/information-technology/2018/06/dhs-found-evidence-of-cell-phone-spying-near-white-house/

The Hill: Officials disclose potential cellphone surveillance activity near White House

http://thehill.com/policy/cybersecurity/390235-officials-disclose-potential-cellphone-surveillance-activity-near-white

Cyberscoop: DHS: 'Nefarious actors' could be exploiting SS7 flaws

https://www.cyberscoop.com/ss7-stingrays-imsi-catchers-chris-krebs-dhs-ron-wyden/

 

 --

Apple Updates, and Upcoming Security Enhancements

(June 1, 2, & 4, 2018)

Apple has released updates for iOS and macOS, as well as for tvOS, watchOS, iTunes for Windows, iCloud for Windows, and Safari. Two buffer overflow flaws in the kernel code affect macOS, iOS, watchOS, and tvOS. In a separate story, on Monday, June 4 at WWDC18, Apple previewed upcoming security and privacy enhancements for macOS and iOS, including encrypted FaceTime group calls and protections for cameras and microphones.    


[Editor Comments]


[Williams] The most significant privacy enhancement upcoming in iOS is the disabling of the USB interface an hour after the screen has been locked. Previously beta releases had this feature being disabled a week after the screen was last locked. Moving the timeout to an hour effectively kills the Graykey device that law enforcement is currently using to unlock some iPhones.


[Neely] iOS 11.4 adds support for synchronizing SMS messages to the cloud and across devices, much like photo sharing, and your MDM is likely unable to disable this setting. It also fixes the issue where text messages could arrive out of order, vehicle Bluetooth synchronization and audio issues, as well as addressing CVE-2018-4227 (EFAIL) issues processing S/MIME messages. A new security feature USB Restricted Mode has been added which puts the lightning port into charge only mode if the phone hasnt been unlocked for seven days, or immediately after being connected to an untrusted computer. This setting can only be cleared by entering the device passcode and it makes USB access to the phone for file transfer, brute forcing of passcodes effectively impossible.


Read more in:

Apple Support: About the security content of macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan

https://support.apple.com/en-gb/HT208849

Bleeping Computer: Apple Releases Security Updates for macOS, iOS, Safari, More

https://www.bleepingcomputer.com/news/apple/apple-releases-security-updates-for-macos-ios-safari-more/

ZDNet: Time to patch your Mac: macOS High Sierra 10.13.5 is out

https://www.zdnet.com/article/time-to-patch-your-mac-macos-high-sierra-10-13-5-is-out/

Ars Technica: A host of new security enhancements is coming to iOS and macOS

https://arstechnica.com/information-technology/2018/06/a-host-of-new-security-enhancements-is-coming-to-ios-and-macos/

 

 --

FBI and DHS Share Information About Malware Tied to Suspected North Korean Hackers

(May 30 & 31, 2018)

The FBI and the US Department of Homeland Security (DHS) have released information via US-CERT about two malware familiesthe Joanap remote access tool (RAT) and the Brambul Server Message Block (SMB) wormthat appear to be linked to a North Korean hacking group known as Hidden Cobra. Both have been used in attacks against targets in the US and elsewhere around the world. 


Read more in:

SC Magazine: FBI, DHS share intel on RAT and worm linked to North Korea

https://www.scmagazine.com/fbi-dhs-share-intel-on-rat-and-worm-linked-to-north-korea/article/769583/

US-CERT: HIDDEN COBRAJoanap Backdoor Trojan and Brambul Server Message Block Worm

https://www.us-cert.gov/ncas/alerts/TA18-149A

US-CERT: MAR-10135536-3 - HIDDEN COBRA RAT/Worm

https://www.us-cert.gov/ncas/analysis-reports/AR18-149A

 

 --

Valve Fixed 10-Year-Old Remote Code Execution Flaw in Steam

(May 31, 2018)

A remote code execution vulnerability that has existed in the Steam video game platform for more than a decade has been fixed. The person who found the flaw reported it to Steam developer Valve on February 20, 2018; an initial fix was available within eight hours, and the problem completely eliminated by March 22.  


[Editor Comments]


[Murray] Problems in game platforms are problems for society only to the extent that we use the same platforms for gaming as for more sensitive applications. Much gaming is done on game appliances and increasingly on mobile devices where we have the capability to isolate them from other applications.  


Read more in:

CNET: Steam fixed a bug that reportedly left PCs vulnerable for over 10 years

https://www.cnet.com/news/steam-fixed-a-bug-that-reportedly-left-pcs-vulnerable-for-over-10-years/

Motherboard: An Exploit Left Millions of Steam Users Vulnerable for the Past 10 Years

https://motherboard.vice.com/en_us/article/9k8qv5/steam-exploit-left-users-vulnerable-for-10-years

 

 --

US Special Operations Command Stepping Up Digital Forensics Research

(May 31, 2018)

The US Special Operations Command (SOCOM) is increasing its research into digital forensics in response to terrorist groups developing new ways to hide information on digital devices. The new techniques include writing information in portions of a devices hard drive that are supposed to be off limits to users, and hash rewriting.


[Editor Comments]


[Williams] The term "hash rewriting" is not an industry standard term and the article fails to detail specifically what it is. Based on the description in the article, it is surmised that ISIS is purposefully using hash collisions to make their data files match those that are in lists of known good files. Forensics professionals use these lists to reduce the number of files they need to examine. By creating an intentional hash collision, ISIS likely is preventing their data files from being examined. But the solution to this problem doesn't need much research - there is an obvious solution. Intentional hash collisions change the size of the resultant file. By combining the file size with the hash, it is trivial to remove the realistic possibility of hash collisions. Today's hash libraries do not specify the file size, but these can easily be rebuilt with minimal effort.


Read more in:

Nextgov: Special Operations Command Takes Aim At Enemies Hiding Files Inside Seized Electronics

https://www.nextgov.com/cybersecurity/2018/05/special-operations-command-takes-aim-enemies-hiding-files-inside-seized-electronics/148610/

 

INTERNET STORM CENTER TECH CORNER

Apple Patches Everything

https://isc.sans.edu/forums/diary/Apple+Security+Updates/23727/


VPNFilter Makes a Comeback

https://jask.com/from-russia-with-love/


Reverse Analysis with Radare2

https://isc.sans.edu/forums/diary/Binary+analysis+with+Radare2/23723/


Pet Location Tracker Vulnerabilities

https://threatpost.com/pet-trackers-open-to-mitm-attacks-interception/132291/

       

Running Only Signed Code. Does it Work in Windows 10?

https://isc.sans.edu/forums/diary/Digging+into+Authenticode+Certificates/23731/


Misconfigured G-Suite Mailing Lists

https://www.kennasecurity.com/widespread-google-groups-misconfiguration-exposes-sensitive-information/


Microsoft Releases Open Source Post Quantum VPN

https://github.com/Microsoft/PQCrypto-VPN

 
  

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create