SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #47
June 15, 2018****************************************************************************
SANS NewsBites June 15, 2018 Vol. 20, Num. 047
****************************************************************************
TOP OF THE NEWS
Microsoft Releases Patch Manifesto Draft
Most Civilian Agencies Have Adopted DHS's Cyberthreat Dashboard
REST OF THE WEEK'S NEWS
PGP Flaw Fixed in Encryption Tools
Apple to Add Default USB Restricted Mode Feature for iPhone
Apple Code Signing Check Flaw
Updates Available for VMware AirWatch Agent
Lawmakers Seek Answers on FCC DDoS Claims, EAC Anti-Hacking Efforts
Another Side Channel Flaw in Intel Microprocessors
Microsoft Patch Tuesday
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Pulse Secure ************************************
ICYMI: "What Works in Visibility, Access Control and IOT Security - Pulse Secure NAC Outcomes at Energy Provider" with John Pescatore. Learn how a medium-sized Canadian power company integrated Pulse Secure Network Access Control into their network fabric to gain visibility into the assets in use, as well as enforce access controls while minimizing any business user disruption. Register: http://www.sans.org/info/204760
*****************************************************************************
-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018
-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018
-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018
-- SANS London July 2018 | July 2-7 | https://www.sans.org/event/london-july-2018
-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018
-- Security Awareness Summit 2018 | Charleston, SC | August 6-15 | https://www.sans.org/event/security-awareness-summit-2018
-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018
-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018
-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a new iPad, Samsung Galaxy Tab A, or take $250 Off with Any OnDemand or vLive Course, Offer Ends June 27.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--
Microsoft Releases Patch Manifesto Draft
(June 13, 2018)
Microsoft has published a draft document, Security Servicing Commitments for Windows, in which it clarifies which security issues it will fix and which it will not. The document lists the "key questions" that the Microsoft Security Response Center (MSRC) uses to decide whether or not to patch an issue and how soon that patch will be released: "Does the vulnerability violate a promise made by a security boundary or a security feature that Microsoft has committed to defending?" and "Does the severity of the vulnerability meet the bar for servicing?"
[Editor Comments]
[Pescatore] There are a number of oddities in this document. Microsoft lists User Account Control, AppLocker, Data Execution Prevention, Address Space Layout Randomization and other highly touted Windows security capabilities as "defense in depth" features that "... may provide protection against a threat without making a promise," and therefore they do not get a commitment from Microsoft to patch. I think there have been lots of promises made over the years by Microsoft about those features. Another long term complaint of mine: Microsoft continues to use its own proprietary vulnerability severity rating approach vs. the Common Vulnerability Scoring Standard that most other software vendors use.
[Neely] At first blush this appears to manage the expectations around what criteria Microsoft will use to decide whether to pay bug bounties, as well as the expected response for discovered flaws in each class of security feature. This is critical for the success of the bug bounty program. Yet, their defense-in-depth security features, which include core protections like DEP and ASLR and other fundamental OS security measures are off-limits under the caveat that exploiting these flaws requires exploitation of an in-scope security feature. That could not only serve as a limit line for security researchers, but also as a target for adversaries seeking to exploit unpublished weaknesses.
Read more in:
Microsoft: Microsoft Security Servicing Commitments
Threatpost: Microsoft Reveals Which Bugs It Won't Patch
https://threatpost.com/microsoft-reveals-which-bugs-it-wont-patch/132817/
The Register: Microsoft reveals which Windows bugs it might decide not to fix
http://www.theregister.co.uk/2018/06/13/microsoft_security_servicing_commitments_for_windows_draft/
--
Most Civilian Agencies Have Adopted DHS's Cyberthreat Dashboard
(June 14, 2018)
Twenty of 23 major US civilian agencies have adopted the Department of Homeland Security's (DHS's) cyber threat dashboard. Less than a year ago, just two of the agencies had adopted the dashboard, which is part of DHS's continuous diagnostics and mitigation program (CDM). The dashboards will allow the agencies to catalog their software and share that information with DHS.
[Editor Comments]
[Paller] The original goal of this project was to improve security system by system across the federal government. It was modeled on the iPost program that reduced vulnerabilities and cyber risk by over 90%. That doesn't seem to be happening - so the money may have been wasted. If you are using the dashboard in a way that directly leads to day-to-day improvements in cyber risk, please let me know (apaller@sans.org).
Read more in:
Nextgov: Nearly All Major Agencies Are on Governmentwide Cyber Threat Dashboard
************************** SPONSORED LINKS ********************************
1) "Small Businesses, Big Threats: Protecting your Small and Medium Business Against Malware, Ransomware, Exploits and More" Register: http://www.sans.org/info/204765
2) Don't Miss: "Stopping IoT-based Attacks on Enterprise Networks" sponsored by HP. Register: http://www.sans.org/info/204770
3) How are you dealing with the rapid evolution of Secure DevOps? Take the SANS 2018 Secure DevOps Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/204775
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
PGP Flaw Fixed in Encryption Tools
(June 14, 2018)
Many broadly used encryption tools have been patched to fix a critical flaw that could have been exploited to spoof public key digital signatures. Known as the SigSpoof flaw, the issue has been present for decades.
Read more in:
Ars Technica: Decades-old PGP bug allowed hackers to spoof just about anyone's signature
--
Apple to Add Default USB Restricted Mode Feature for iPhone
(June 13 & 14, 2018)
Apple plans to release an iOS software update that will disable the iPhone lightning port an hour after the device is locked. Law enforcement authorities have been using the port to access data on seized devices. The USB Restricted Mode feature time limit will still allow the phone to charge, but any data transfer to or from the phone through the port will require the device owner's passcode after an hour. USB Restricted Mode will be enabled by default in iOS 12.
[Editor Comments]
[Pescatore] Last year there were about 3 million mobile devices at risk because they were lost or stolen. The FBI recently admitted overstating how many phones they couldn't access; one internal source was quoted as saying the correct number was about 1,200. So, if even just .05% of the lost and stolen phones were exploited by criminals, leaving security flaws open in phones would lead to more crime and more damage, not less.
[Neely] This was supposed to be included in iOS 11.3 and 11.4, and while still in the 11.4.1 beta, it is likely pushed back to iOS 12. Note that the interval before the device is disabled changed from the initial value of seven days to one hour. This is a tremendous security advantage for users with a lost or stolen device and will frustrate forensic investigators trying to acquire information. While the MDM can still unlock a managed device to enable access, there is no indication yet that this on-by-default setting can be managed centrally.
[Northcutt] And it's only law enforcement that wants data from phones? Did all the criminals take the month off? Regardless, law enforcement has proven they will pay big bucks for console GUI phone hack devices, Apple responds, and Cellebrite, Grayshift and the rest will sell the fix:
https://gizmodo.com/iphone-hackers-may-already-have-a-workaround-for-cops-t-1826851897: iPhone Hackers May Already Have a Workaround for Cops to Crack Apple's Newest Security Feature
Read more in:
Threatpost: Apple Removes iPhone USB Access Feature, Blocking Out Hackers, Law Enforcement
Computerworld: Apple wins praise for adding 'USB Restricted Mode' to secure iPhones
NYT: Apple to Close iPhone Security Hole That Law Enforcement Uses to Crack Devices
https://www.nytimes.com/2018/06/13/technology/apple-iphone-police.html
The Register: Apple will throw forensics cops off the iPhone Lightning port every hour
http://www.theregister.co.uk/2018/06/14/apple_usb_restricted_mode_hourly/
InfoSecurity Magazine: Apple Update Will Hamper Police Device Crackers
https://www.infosecurity-magazine.com/news/apple-update-police-cracking/
--
Apple Code Signing Check Flaw
(June 12, 2018)
Third-party products are releasing updates to fix the way they interact with Apple's code-signing API. The flaw could be exploited to allow malicious files to bypass the code-signing process.
Read more in:
SC Magazine: Flawed code-signing process could have let attackers pass malware off as Apple-approved
The Register: Hello, 'Apple' here, and this dodgy third-party code is A-OK with us
http://www.theregister.co.uk/2018/06/12/apple_code_signing_flaw/
--
Updates Available for VMware AirWatch Agent
(June 13, 2018)
VMware has released updates for its VMware Air Watch Agent for Android and for Windows to address a vulnerability that could be exploited to remotely execute code. The flaw lies in the AirWatch Agent real time file manager capabilities. The issue does not affect AirWatch Agent for iOS.
Read more in:
VMware: VMware AirWatch Agent updates resolve remote code execution vulnerability.
https://www.vmware.com/security/advisories/VMSA-2018-0015.html
SC Magazine: VMware patches RCE flaw for AirWatch Agent for Android, AirWatch Agent for Windows
https://www.scmagazine.com/vmware-patches-remote-code-execution-flaw/article/773150/
--
Lawmakers Seek Answers on FCC DDoS Claims, EAC Anti-Hacking Efforts
(June 13, 2018)
US legislators are seeking answers about the Federal Communications Commission's (FCC's) that its pubic comment system was the victim of distributed denial-of-service (DDoS) attacks in 2014 and again in 2017. They are also looking into what the Election Assistance Commission (EAC) is doing to help prevent election hacking.
[Editor Comments]
[Williams] Enough. Sure, send a message that "cyber hyperbole" won't be tolerated in government. But at this point, continuing to investigate this is taking scarce resources (and national attention) from very serious problems with our national cybersecurity posture. Attention really needs to be focused elsewhere.
Read more in:
The Register: US senators get digging to find out the truth about FCC DDoS attack
http://www.theregister.co.uk/2018/06/13/fcc_ddos_election/
--
Another Side Channel Flaw in Intel Microprocessors
(June 13, 2018)
Yet another security issue has been found to affect Intel Core and Xeon processors. The vulnerability involves the way the affected Intel chips manage the Lazy FP state restore technique. The flaw could be exploited to steal data from the chips' math processing units.
Read more in:
Dark Reading: Intel Discloses Yet Another Side Channel Vulnerability
ZDNet: Another day, another Intel CPU security hole: Lazy State
https://www.zdnet.com/article/another-day-another-intel-cpu-security-hole-lazy-state/
The Register: Intel chip flaw: Math unit may spill crypto secrets to apps - modern Linux, Windows, BSDs immune
http://www.theregister.co.uk/2018/06/13/intel_lazy_fpu_state_security_flaw/
Bleeping Computer: New Lazy FP State Restore Vulnerability Affects All Intel Core CPUs
--
Microsoft Patch Tuesday
(June 12, 2018)
On Tuesday, June 12, Microsoft released security updates to address 50 security issues in Windows, Internet Explorer, Edge, Office, Adobe Flash Player, and other software. Eleven of the vulnerabilities are rated critical; they include a remote code execution flaw in the Windows Domain Name System, and a privilege escalation issue in the Cortana voice engine.
Read more in:
Microsoft: Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
KrebsOnSecurity:
Microsoft Patch Tuesday
, June 2018 Editionhttps://krebsonsecurity.com/2018/06/microsoft-patch-tuesday-june-2018-edition/
Threatpost: June Patch Tuesday: Microsoft Issues Fixes For DNS, Cortana
https://threatpost.com/june-patch-tuesday-microsoft-issues-fixes-for-dns-cortana/132778/
ZDNet: Windows 10 black screen problems fixed, as Microsoft patches 50 security flaws
INTERNET STORM CENTER TECH CORNER
More Malspam Pushing Lokibot
https://isc.sans.edu/forums/diary/More+malspam+pushing+Lokibot/23754/
Ethereum JSON RPC Theft
https://twitter.com/360Netlab/status/1006065566728085504
CryptoCurrency Miner Plays Hide-and-Seek
Apple Outlaws Crypto Currency Miners in App Store
https://developer.apple.com/app-store/review/guidelines/#hardware-compatibility
FBI Arrests Suspects in BEC Investigation
https://www.fbi.gov/news/stories/international-bec-takedown-061118
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+June+2018+Patch+Tuesday/23758/
Apple Code Signing Verification Vulnerability
https://www.okta.com/security-blog/2018/06/issues-around-third-party-apple-code-signing-checks/
Extracting Timely Sign-In Data from Office 365 Logs
From MicroTik With Love: Yet Another Router Botnet?
https://isc.sans.edu/forums/diary/From+Microtik+with+Love/23762/
Using Cortana To Compromise Windows 10
Compromised Docker Images
Lazy FPU Save/Restore Allows Malware Access to FPU
https://access.redhat.com/solutions/3485131
Analyzing a Compromised Wordpress Site
https://isc.sans.edu/forums/diary/A+Bunch+of+Compromized+Wordpress+Sites/23764/
Breaking Bluetooth Low Energy Smart Padlock
https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-smart-lock/
WIM Disk Image Vulnerability
https://blog.talosintelligence.com/2018/06/vulnerability-spotlight-talos-2018-0545.html
Google Chrome Restricting Inline Extension Install
https://blog.chromium.org/2018/06/improving-extension-transparency-for.html
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
